Applications - Run Only Specified Programs in Windows

Page 1 of 2 12 LastLast
    Applications - Run Only Specified Programs in Windows

    Applications - Run Only Specified Programs in Windows

    How to Allow Users to Run Only Specified Programs in Windows
    Published by
    Designer Media Ltd


    How to Allow Users to Run Only Specified Programs in Windows

       Information
    This tutorial will show you how to allow all or specific users on the computer to be able to run only a list of allowed programs you specify in Vista, Windows 7, or Windows 8.

    You must be logged in as an administrator to be able to do the steps in this tutorial.

       Warning
    This will not prevent users from being able to run a program through the command prompt unless you do not add cmd.exe to the list of allowed applications, or add cmd.exe to the list of disallowed applications.

    Even if you have an .exe file of a program in the list of allowed applications and also in the list of disallowed applications, then users will not be able to run the .exe. Anything disallowed will always override anything allowed.

    If an .exe file in the list of allowed programs was renamed by a user (if allowed), then the user will no longer be able to run that exe since that name wasn't in the list of allowed programs.

    Renaming an .exe file will bypass the list of disallowed programs to let it run anyways, but not with the list of allowed programs. If the .exe file name is not on the list of allowed programs, then it can't run.

    This does not apply to "Metro" Store apps in Windows 8.


    EXAMPLE: Message
    NOTE: This is a message that all users will get when they try to run a EXE file not on the list of allowed programs that you specified.


    Applications - Run Only Specified Programs in Windows-message.jpg




    OPTION ONE

    Through the Local Group Policy Editor

    1. Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

    2. In the left pane, click/tap on to expand User Configuration, Administrative Templates, and System. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-gpedit-1.jpg

    3. In the right pane of System, double click/tap on Run only specified Windows applications to edit it. (see screenshot above)

    4. To Allow All Applications to Run
    A) Select (dot) either Not Configured or Disabled, and go to step 6 below. (see screenshot below)
    NOTE: Not configured is the default setting.
    Applications - Run Only Specified Programs in Windows-gpedit-2.jpg
    5. To Allow Only Specified Applications to Run
    A) Select (dot) Enabled, then click/tap on the Show button under Options. (see screenshot above)

    B) Under Value, double click/tap in a blank line and type in the name of the EXE file (ex: cmd.exe) with file extension that you want to prevent from running. (see screenshots below)



       Tip

    • To change or remove a listed exe file name, you can just type over it.
    • To clear or reset the list of allowed applications, you can select Not Configured (step 4), click/tap on Apply, select Enabled again, and click/tap on Apply.

    Applications - Run Only Specified Programs in Windows-gpedit-3.jpg

    C) Repeat step 5B until you have added any other EXE files (ex: CCleaner) you want on the list of allowed applications as well. When finished, click/tap on OK. (see screenshots above)

    D) Go to step 6 below.
    6. Click/tap on OK. (see screenshot below step 4A)

    7. If used, you may also wish to make changes to your list of disallowed programs to run.

    8. When finished, you can close the Local Group Policy Editor window if you like.




    OPTION TWO

    Manually in Registry Editor


    NOTE: This option affects all users on the computer.
    1. Press the Windows + R keys to open the Run dialog, type regedit, and click/tap on OK.

    2. If prompted by UAC, click/tap on Yes (Windows 7/8) or Continue (Vista).

    3. In regedit, navigate to the location below. (see screenshot below)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Applications - Run Only Specified Programs in Windows-reg1.jpg

    4. To Allow Only Specified Applications to Run for Only Current User
    A) In the right pane of Explorer, right click or press and hold on a empty space, and click/tap on New and DWORD (32-bit) Value. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-1.jpg

    B) Type in RestrictRun and press Enter. Double click/tap on RestrictRun to modify it. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-2.jpg

    C) Type in 1 and click/tap on OK. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-3.jpg

    D) In the left pane, right click on Explorer, click/tap on New and Key, type in RestrictRun, and press Enter. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-4.jpg

    E) In the right pane of RestrictRun, right click or press and hold on a empty space, and click/tap on New and String Value. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-5.jpg

    F) Type in the name of the .exe file (ex: mspaint.exe) with extension that you want to be added to the list of allowed applications, and press Enter. Double click/tap on this .exe file (ex: mspaint.exe) name to modify it. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-6.jpg

    G) Type in the name of the same .exe file (ex: mspaint.exe) again, and click/tap on OK. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-enable-7.jpg

       Tip

    • To change a listed EXE file name, double click/tap on the EXE to modify it (step 4F), type the new EXE name, and click/tap on OK.
    • To remove a listed EXE file name, right click or press and hold on the EXE, then click/tap on Delete and Yes.



    H) Repeat steps 4F and 4G until you have added any other .exe files (ex: notepad.exe) you want on the list of allowed applications as well. (see screenshot below step 4F)

    I) When finished, go to step 6 below.
    5. To Allow All Applications to Run for Only Current User
    NOTE: This is the default setting.
    A) In the right pane of Explorer, right click or press and hold on RestrictRun, and click/tap on Delete. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-disable-1.jpg

    B) Click/tap on Yes to approve. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-disable-2.jpg

    C) In the left pane, right click on RestrictRun, and click/tap on Delete. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-disable-3.jpg

    D) Click/tap on Yes to approve, go to step 6 below. (see screenshot below)
    Applications - Run Only Specified Programs in Windows-disable-4.jpg

    6. If used, you may also wish to make changes to your list of disallowed programs to run.

    7. Close regedit.

    8. Log off and log on, or restart the computer to apply.
    That's it,
    Shawn







  1. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #1

    Nice Brink! A few questions:

    1. Is Local Group Policy available to all versions of Windows 7 (e.g. Starter, Home, Home Premium etc.)?
    2. Can the message text in the restriction pop-up be customised?
      My Computer


  2. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #2

    Is this name based... so if something is named mspaint.exe it works? So renamning something to mspaint.exe will fool this protection?

    Is registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer doing the same but only if no user specific entry has been defined?

    Does it also prevent excution of progam if started from "command prompt"?
      My Computer


  3. Posts : 72,016
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #3

    Golden said:
    Nice Brink! A few questions:

    1. Is Local Group Policy available to all versions of Windows 7 (e.g. Starter, Home, Home Premium etc.)?
    2. Can the message text in the restriction pop-up be customised?
    Hello Golden,

    Q1) Correct, Group Policy (OPTION ONE) is not available in those editions, but those editions can use OPTION TWO with the registry instead.

    Q2) Probably, but I haven't tried to yet.
      My Computer


  4. Posts : 72,016
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #4

    Kaktussoft said:
    Is this name based... so if something is named mspaint.exe it works? So renamning something to mspaint.exe will fool this protection?

    Is registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer doing the same but only if no user specific entry has been defined?

    Does it also prevent excution of progam if started from "command prompt"?
    Hello Ron,

    Correct, it's file name specific. Renaming the .exe file would bypass the list of disallowed programs, but not the list of allowed programs from this tutorial.

    If the .exe's file name is not on the list of allowed programs, then it can't run. Of course, you have to make sure you have every .exe file you want to be allowed to run listed though.


    The registry location should be under HKEY_CURRENT_USER and not HKEY_LOCAL_MACHINE though. Since this is in the Policies key, only an administrator can modify it. This location will apply to all users on the computer.

    If cmd.exe was "not added" to the list of allowed programs and/or added to the list of disallowed programs, then users will not be able to run anything from within a command prompt in Windows since cmd.exe is not allowed to be opened.
      My Computer


  5. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #5

    Thanks Brink. Nothing get past you eh?
      My Computer


  6. Posts : 72,016
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #6

    LOL, your most welcome Golden. I'm sure a few things may have slipped by.
      My Computer


  7. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #7

    The registry location should be under HKEY_CURRENT_USER and not HKEY_LOCAL_MACHINE though. Since this is in the Policies key, only an administrator can modify it. This location will apply to all users on the computer.
    that's exactly the info I needed! So it's a registry key under HKCU but NOT changeable by user.

    But what if a user renames unallowedprogam.exe to allowedprogam.exe? (assuming renaming is allowed). Or for example plug in an usb disk with allowedprogam.exe on it?
      My Computer


  8. Posts : 72,016
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #8

    Kaktussoft said:
    that's exactly the info I needed! So it's a registry key under HKCU but NOT changeable by user.
    Correct, the Policy key under HKCU cannot be changed by a user. Only by and admin.
    But what if a user renames unallowedprogam.exe to allowedprogam.exe? (assuming renaming is allowed). Or for example plug in an usb disk with allowedprogam.exe on it?
    If unallowedprogam.exe is in the list of allowed programs and was renamed (if allowed) to allowedprogam.exe, then the user will no longer be able to run that exe since it's no longer an .exe in the list of allowed programs.

      My Computer


  9. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #9

    So purely name based. If notepad.exe is allowed:
    I put some nasty stuff on usb stick and call the exe notepad.exe. Then run notepad.exe from usb stick which runs some nasty stuff. Fake security in my opinion. Correct me if I'm wrong
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:16.
Find Us