Avatar of deming
 asked on

How to disable batch file execution?

I have a Windows Server 2008. How do I disable users ability to execute batch files?
OS SecurityWindows Server 2008Microsoft Forefront ISA Server

Avatar of undefined
Last Comment

8/22/2022 - Mon

Change the file association for .bat/.cmd to notepad....

Add it to a Machine Startup Script....
reg add "HKEY_CLASSES_ROOT\batfile\shell\open\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\batfile\shell\runas\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\batfile\shell\runasuser\command" /ve /d "c:\windows\system32\notepad.exe %1" /f

reg add "HKEY_CLASSES_ROOT\cmdfile\shell\open\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\cmdfile\shell\runas\command" /ve /d "c:\windows\system32\notepad.exe %1" /f
reg add "HKEY_CLASSES_ROOT\cmdfile\shell\runasuser\command" /ve /d "c:\windows\system32\notepad.exe %1" /f

Open in new window

Lee W, MVP

Did you test that on the command line?

Because on the command line, I would expect you'll need to alter your system wide environment variables so that PATHEXT no longer lists .BAT or .CMD.

Is there a Group Policy I could change to prevent batch/command files?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Lee W, MVP

Out of curiousity... WHY are you doing this?  It doesn't make much sense to me.  Batch files are important network administration tools and can make things easier for users... Perhaps there's a better way of accomplishing your end goal, if you can define what, exactly, the end goal of disabling batch scripts is.

(And I know of no group policy to disable batch files... never looked into it... )

My server has a security app running which I do not want shut down. Users are downloading batch files via FTP to the server and then executing these batch files which then are trying to kill my security app.

So I am trying to shut down FTP access (in another question) and shut down the ability to execute batch files.  
Lee W, MVP

A batch file is just commands... In my opinion, you are focusing on the wrong thing.

Who are these users?  Why are your own users attacking you?  Or do you mean hackers are hacking your system?

Your USERS should not have the right to terminate the process stop the service.  Then the batch file becomes irrelevant.  Why do you give your users admin rights?  Take those away and the batch file won't matter.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

I tested launching a .bat file, and it opened it notepad......

I do agree with leew though, it is not the right way to prevent what you are trying to do..... Does anwer the actual question though...


I am looking at worst case and thinking ahead. They are my users (standard rights) but they may have bad intentions at some point. One user pointed out that he could download batch files via FTP and execute them and thought I should close that hole.

So I am working on disabling FTP access. But I also wanted to prevent execution of batch files in case some gets one onto the computer.


And leew, you were correct, the cmd line still ran the batch files......

Standard users shouldnt be able to close processes running on a server though.....
Your help has saved me hundreds of hours of internet surfing.

Limit the users on the server (limited/restricted user) and maintain the system with the most current updates.

You can as others mentioned define a rule for IE not to download items.

that match a certain patern i.e. no vbs, bat, exe, etc.  if you have a firewall/porxy, you can define the rule on those There would be a load impact for URL rejection on the firewall/router..
Bassam Almasri

-Using Group policy , disable *.bat [ Enable GPO>User configuration>Administrative Templates>System >Don't run specified Windows applications >*.bat

- GPO>User configuration>Administrative Templates>System >Prevent access to the command prompt

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.