Tag Archives: DisallowRun Windows block application all users exe Win32 Win64 .reg registry Policies\Explorer

Blocking an application for all users on a machine

Requirement
Administrators and Developers may often want to block a single application for all users on a machine. The method listed below is probably one of the simplest (IMHO) available online.

Problem
The standard technique involving the use of adding a key named DisallowRun to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not work. The DisallowRun trick (as most users have discovered) only works for a single user. Others (including myself) have tried prodding around with the .DEFAULT entry to no avail…

Solution
The solution lies within an alternate set of registry keys which are modifiable through the Local Security Policy tool (secpo.msc). I’ve done the dirty work and listed the actual registry modifications below. Simply copy the content between the BEGIN and END markers into a .reg file of your choice and then run it as an Administrator. Alternately, use your favourite programming language to access, create and write the keys below.

— BEGIN —
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{F0F4E578-34CA-4B81-B36C-6D01C6DCD3B1}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{F0F4E578-34CA-4B81-B36C-6D01C6DCD3B1}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{F0F4E578-34CA-4B81-B36C-6D01C6DCD3B1}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a798b6fd-44d7-4246-a5f3-38003abaecce}]
“Description”=””
“SaferFlags”=dword:00000000
“ItemData”=”C:\\Test\\YourApp.exe”
“LastModified”=hex(b):ee,96,5f,c4,37,ac,cb,01
— END —

Notes

  • The actual application that needs to be blocked is within the ItemData key.
  • The identifier a798b6fd-44d7-4246-a5f3-38003abaecce is a GUID. You should generate one yourself though I suspect that you should be able to use the one within this example without too much of a problem.
  • As usual, this solution comes with no warranties! Use it at your own risk!
  • Yes, I know that there are ways to circumvent this! We’re targeting “casual” users! :)