Applications - Run Only Specified Programs in Windows

How to Allow Users to Run Only Specified Programs in Windows​

   Information

This tutorial will show you how to allow all or specific users on the computer to be able to run only a list of allowed programs you specify in Vista, Windows 7, or Windows 8.

You must be logged in as an administrator to be able to do the steps in this tutorial.

   Warning

This will not prevent users from being able to run a program through the command prompt unless you do not add cmd.exe to the list of allowed applications, or add cmd.exe to the list of disallowed applications.

Even if you have an .exe file of a program in the list of allowed applications and also in the list of disallowed applications, then users will not be able to run the .exe. Anything disallowed will always override anything allowed.

If an .exe file in the list of allowed programs was renamed by a user (if allowed), then the user will no longer be able to run that exe since that name wasn't in the list of allowed programs.

Renaming an .exe file will bypass the list of disallowed programs to let it run anyways, but not with the list of allowed programs. If the .exe file name is not on the list of allowed programs, then it can't run.

This does not apply to "Metro" Store apps in Windows 8.

EXAMPLE: Message
NOTE: This is a message that all users will get when they try to run a EXE file not on the list of allowed programs that you specified.

OPTION ONE

Through the Local Group Policy Editor

1. Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2. In the left pane, click/tap on to expand User Configuration, Administrative Templates, and System. (see screenshot below)


3. In the right pane of System, double click/tap on Run only specified Windows applications to edit it. (see screenshot above)

4. To Allow All Applications to Run A) Select (dot) either Not Configured or Disabled, and go to step 6 below. (see screenshot below)
NOTE: Not configured is the default setting.

​

5. To Allow Only Specified Applications to Run A) Select (dot) Enabled, then click/tap on the Show button under Options. (see screenshot above)

B) Under Value, double click/tap in a blank line and type in the name of the EXE file (ex: cmd.exe) with file extension that you want to prevent from running. (see screenshots below)

   Tip

• To change or remove a listed exe file name, you can just type over it.
• To clear or reset the list of allowed applications, you can select Not Configured (step 4), click/tap on Apply, select Enabled again, and click/tap on Apply.

C) Repeat step 5B until you have added any other EXE files (ex: CCleaner) you want on the list of allowed applications as well. When finished, click/tap on OK. (see screenshots above)

D) Go to step 6 below.
6. Click/tap on OK. (see screenshot below step 4A)

7. If used, you may also wish to make changes to your list of disallowed programs to run.

8. When finished, you can close the Local Group Policy Editor window if you like.

OPTION TWO

Manually in Registry Editor

NOTE: This option affects all users on the computer.1. Press the Windows + R keys to open the Run dialog, type regedit, and click/tap on OK.

2. If prompted by UAC, click/tap on Yes (Windows 7/8) or Continue (Vista).

3. In regedit, navigate to the location below. (see screenshot below)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


4. To Allow Only Specified Applications to Run for Only Current UserA) In the right pane of Explorer, right click or press and hold on a empty space, and click/tap on New and DWORD (32-bit) Value. (see screenshot below)


B) Type in RestrictRun and press Enter. Double click/tap on RestrictRun to modify it. (see screenshot below)


C) Type in 1 and click/tap on OK. (see screenshot below)


D) In the left pane, right click on Explorer, click/tap on New and Key, type in RestrictRun, and press Enter. (see screenshot below)


E) In the right pane of RestrictRun, right click or press and hold on a empty space, and click/tap on New and String Value. (see screenshot below)


F) Type in the name of the .exe file (ex: mspaint.exe) with extension that you want to be added to the list of allowed applications, and press Enter. Double click/tap on this .exe file (ex: mspaint.exe) name to modify it. (see screenshot below)


G) Type in the name of the same .exe file (ex: mspaint.exe) again, and click/tap on OK. (see screenshot below)

   Tip

• To change a listed EXE file name, double click/tap on the EXE to modify it (step 4F), type the new EXE name, and click/tap on OK.
• To remove a listed EXE file name, right click or press and hold on the EXE, then click/tap on Delete and Yes.

H) Repeat steps 4F and 4G until you have added any other .exe files (ex: notepad.exe) you want on the list of allowed applications as well. (see screenshot below step 4F)

I) When finished, go to step 6 below.
5. To Allow All Applications to Run for Only Current User
NOTE: This is the default setting.A) In the right pane of Explorer, right click or press and hold on RestrictRun, and click/tap on Delete. (see screenshot below)


B) Click/tap on Yes to approve. (see screenshot below)


C) In the left pane, right click on RestrictRun, and click/tap on Delete. (see screenshot below)


D) Click/tap on Yes to approve, go to step 6 below. (see screenshot below)


6. If used, you may also wish to make changes to your list of disallowed programs to run.

7. Close regedit.

8. Log off and log on, or restart the computer to apply.
That's it,
Shawn

Related Tutorials

---

• How to Prevent Users from Running Specified Programs in Windows
• How to Create New Rules in Windows 7 AppLocker
• How to Enable DLL Rule Collection in Windows 7 AppLocker
• How to Uninstall or Change a Program in Windows 7
• How to Apply Group Policies to a Specific User or Group in Vista and Windows 7
• Run Specific Programs and Documents at User Logon in Vista, Windows 7, and Windows 8
• How to Set Up an Account for Assigned Access in Windows 8.1 and Windows RT 8.1

 

[Golden]

Nice Brink! A few questions:

1. Is Local Group Policy available to all versions of Windows 7 (e.g. Starter, Home, Home Premium etc.)?
2. Can the message text in the restriction pop-up be customised?

 

[Kaktussoft]

Is this name based... so if something is named mspaint.exe it works? So renamning something to mspaint.exe will fool this protection?

Is registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer doing the same but only if no user specific entry has been defined?

Does it also prevent excution of progam if started from "command prompt"?

 

[Brink]

Nice Brink! A few questions:

1. Is Local Group Policy available to all versions of Windows 7 (e.g. Starter, Home, Home Premium etc.)?
2. Can the message text in the restriction pop-up be customised?

Hello Golden,

Q1) Correct, Group Policy (OPTION ONE) is not available in those editions, but those editions can use OPTION TWO with the registry instead.

Q2) Probably, but I haven't tried to yet.

 

[Brink]

Is this name based... so if something is named mspaint.exe it works? So renamning something to mspaint.exe will fool this protection?

Is registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer doing the same but only if no user specific entry has been defined?

Does it also prevent excution of progam if started from "command prompt"?

Hello Ron,

Correct, it's file name specific. Renaming the .exe file would bypass the list of disallowed programs, but not the list of allowed programs from this tutorial.

If the .exe's file name is not on the list of allowed programs, then it can't run. Of course, you have to make sure you have every .exe file you want to be allowed to run listed though.


The registry location should be under HKEY_CURRENT_USER and not HKEY_LOCAL_MACHINE though. Since this is in the Policies key, only an administrator can modify it. This location will apply to all users on the computer.

If cmd.exe was "not added" to the list of allowed programs and/or added to the list of disallowed programs, then users will not be able to run anything from within a command prompt in Windows since cmd.exe is not allowed to be opened.

 

[Golden]

Thanks Brink. Nothing get past you eh?

 

[Brink]

LOL, your most welcome Golden. I'm sure a few things may have slipped by.

 

[Kaktussoft]

The registry location should be under HKEY_CURRENT_USER and not HKEY_LOCAL_MACHINE though. Since this is in the Policies key, only an administrator can modify it. This location will apply to all users on the computer.

that's exactly the info I needed! So it's a registry key under HKCU but NOT changeable by user.

But what if a user renames unallowedprogam.exe to allowedprogam.exe? (assuming renaming is allowed). Or for example plug in an usb disk with allowedprogam.exe on it?

 

[Brink]

that's exactly the info I needed! So it's a registry key under HKCU but NOT changeable by user.

Correct, the Policy key under HKCU cannot be changed by a user. Only by and admin.

But what if a user renames unallowedprogam.exe to allowedprogam.exe? (assuming renaming is allowed). Or for example plug in an usb disk with allowedprogam.exe on it?

If unallowedprogam.exe is in the list of allowed programs and was renamed (if allowed) to allowedprogam.exe, then the user will no longer be able to run that exe since it's no longer an .exe in the list of allowed programs.

 

[Kaktussoft]

So purely name based. If notepad.exe is allowed:
I put some nasty stuff on usb stick and call the exe notepad.exe. Then run notepad.exe from usb stick which runs some nasty stuff. Fake security in my opinion. Correct me if I'm wrong

 

[Brink]

So purely name based. If notepad.exe is allowed:
I put some nasty stuff on usb stick and call the exe notepad.exe. Then run notepad.exe from usb stick which runs some nasty stuff. Fake security in my opinion. Correct me if I'm wrong

Correct. If you add notepad.exe to the list of allowed programs, then anything named notepad.exe would be allowed to be run by the user(s) unless also on the list of disallowed programs.

If the .exe is in a Program Files or Windows type system folder, then a standard user will not be able to rename the .exe anyways.

This is not for malware protection though. It's only to help allow or prevent users from being able to run programs (.exe files) that you the administrator specify.

 

[kanoy83]

How to EDIT list of allowed programs policy

hi guys,

im using gpedit.msc to whitelist but after that, i cannot edit the whitelist, how can i edit?
thanks.

 

[Brink]

Hello Kanoy,

You would be able to edit them by clicking on the Show button, then doing what's in the yellow tip box under step 5 in OPTION ONE to either type over or delete a listed program.

Hope this helps,
Shawn

 

[Alexap03]

Hello Kanoy,

You would be able to edit them by clicking on the Show button, then doing what's in the yellow tip box under step 5 in OPTION ONE to either type over or delete a listed program.

Hope this helps,
Shawn

Hi Shawn,

How can I disable/edit this option? Now I can’t access Group Policy Editor or RegEdit ...
I specify that I have Admin rights on my laptop

Thanks.

 

[Alexap03]

I found the answer here or here.

I think it might be Shawn solution from here, but I haven't tried it.

 

[Brink]

I found the answer here or here.

I think it might be Shawn solution from here, but I haven't tried it.

Hello Alexap03, and welcome to Seven Forums.

Correct. Resetting Local Group Policy using the tutorial below should undo this for you.

It will also undo all policies configured in Local Group Policy though.

Local Group Policy - Reset to Default