Solved Disable a specific program for the command line? No external programs

[giacomodebello]

On a website I read

Doskey is not a foolproof method for disabling commands, it is easily bypassed by running the full command path/ extension or creating a different macro

but I made a few tests and if I use this command set

[SIZE=2]DOSKEY format=ECHO Disabled 1
DOSKEY \Windows\System32\format.com=ECHO Disabled 2
DOSKEY C:\Windows\System32\format.com=ECHO Disabled 3
DOSKEY format.com=ECHO Disabled 4
DOSKEY doskey=ECHO Disabled 5[/SIZE]

then I can address those cases. I mean, DOSKEY can be used to disable a command and it cannot be bypassed by running the full command path, adding the extension or creating a different macro. I started to ask myself if that set can be expanded. On the same website I read

To run a command as soon as the command prompt is opened, this can be useful for loading DOSKEY macros

This will make that permanent, but then I read

A CMD.exe session started with CMD /D will not run any of the above AutoRun commands

ALT+F10 Clear macro definitions

It starts to be a bit tricky.
If we want to follow that path and close all the holes one by one, how to disable, in example, the Alt key to prevent "the escape"?
In general, how to disable a specific Windows program for the command line interpreter by using Windows features only? In particular, for a specific user and not messing up the operating system itself, so no file deletion or renaming.

 

[Alejandro85]

First of all, it's important to note that using doskey in this way provides exactly ZERO security or prevention of execution of certain commands. That's not what doskey is meant to do and any minimally knowledgable user will find the workaround in seconds, no matter what you do.
Useful trick to play a joke, to prevent yourself from doing something undesirable easily or maybe to guard against a pre-teenager from using the computer in such ways, but for anything remotely close to serious, you need a proper way to disable commands.

As an example, your doskey "disabling" can be trivially bypassed by running the command in powershell, by just double clicking format.exe on Windows Explorer, entering the command in the run dialog, using the context menu on drives from Windows Explorer, among other ways. And that's just using Windows built-in methods.

What's the right way to do such things? Permissions and user accounts.
For example, "format" requires administrator privileges, so any standard user wanting to run it will be meet with an "access denied", needing an elevated console to run, and you need an admin user/password to elevate. By using a standard account you tighly close that loophole, and only login as the admin when you really want to format anything.
For other programs that normally don't require admin access, you can deny read access to the binaries to the appropriate users, while letting others run it.
This way the Windows kernel itself enforces the access to such programs, no matter how you try to run them.

 

[giacomodebello]

you can deny read access to the binaries to the appropriate users, while letting others run it

Yes, maybe that's the easiest way to do it, thanks. A bit unflexible, I'd say.

What I want to do is to understand, experiment and find new or odd ways to do things.

- - - Updated - - -

I'll mark this as solved, and the suggested solution by Alejandro85, removing file permissions, is the solution to the "how to disable a specific Windows program for the command line interpreter by using Windows features only?" question. In reality, it's not limited to the command line interpreter.
Just to say, removing the F10 is possible by adding the appropriate binary value "Scancode Map" to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout", but this is not per user, and the examples he made about how to bypass the DOSKEY commands can be addressed by removing the access to Explorer and disable the Windows key in the Group Policy Editor and similar, check tutorials. This is not "for a specific user and not messing up the operating system itself" as I asked.