Prevent Access to the Command Prompt in Windows

Keep it out of the hands of newbies

The Windows Command Prompt is a robust solution for administrators to quickly and easily keep a system up and running smoothly. It’s rare that the average user has a use for the Command Prompt.

Rather than invite temptation, many administrators prevent access to the Command Prompt to discourage users from troubleshooting computer errors and poking around where they can compromise the integrity of a system.

The Windows Command Prompt

The Windows Command Prompt (sometimes called the DOS prompt) is a tool that allows administrators to create batch functions, troubleshoot computer errors, and invoke system-wide commands to make administration easier and more efficient. The average user has little use for this tool.

The Web is filled with advice on how to fix errors on a Windows-based PC. Some users take it upon themselves to troubleshoot and fix their own errors rather than waiting for a professional.

Some administrators make it easy on themselves and prevent user access to the Command Prompt instead of disallowing certain functions on a function-by-function basis. Preventing access to the Command Prompt is a quick way to ensure that users don’t go poking around in areas they shouldn’t be poking around in.

Disable Windows Command Prompt via Group Policy

Note:This method described below will work on Windows Vista, Windows 7, and Windows 8/10, but it will not work for the Home or Starter editions since they do not include support for Group Policy editing. For those cases, you can use the registry method mentioned below.

Log in to Windows using an account that has administrative privileges. Click onStart>Runto open theRundialogue box. If you don’t see theRuncommand on yourStartmenu, hold down theWindowskey on your keyboard and press theRkey. In theRunbox, type ingpedit.mscand click theOKbutton.

In theLocal Group Policy Editorwindow’s left pane, open the folder located atUser Configuration>Administrative Templates>System. Make sure to click on theSystemfolder rather than expanding it.

In the right hand pane, locate and double click on an entry labeledPrevent Access to the Command Prompt.

You should now be looking at thePrevent Access to the Command Promptwindow. Like most installations of Windows , this setting should be set to theNot Configuredoption. Click on theEnabledoption and click theOKbutton.

Close all other open windows and you are done. You do not have to restart your computer for the setting to take effect. All users of the PC are now denied access to the Command Prompt.

Disable Access to Command Prompt via Registry

If you don’t have access to Group Policy settings, you can manually go into the registry and disable the command prompt. To do this, you should first make sure to backup the registry in case something goes wrong.

Go ahead and open the registry editor by clicking on Start and typing inregedit. Navigate to the following path:

You’ll see a couple of keys under the Windows key, but probably notSystem. If there is no System key under Windows, you have to create it. You can do that by right-clicking onWindowsand choosingNew–Key.

Name the key System, select it, and then right-click in the right-hand pane and chooseNew–DWORD (32-bit) Value.

Name the valueDisableCMDand press Enter. Then double-click on it to edit it, chooseDecimaland give it a value of2. That means to disable the command prompt only. A value of 0 will enable the command prompt and a value of 1 will disable the command prompt and prevent scripts from running.

The change should take effect immediately. If you try to open the command prompt, it will appear, but with the following message:

Although the Command Prompt is a useful administrative tool, few casual users of Windows 7 have use for it. Rather than deny access to features of the operating system on a function-by-function basis, many administrators prefer to prevent access to the Command Prompt by using one of the methods above. Enjoy!

Founder of Help Desk Geek and managing editor. He began blogging in 2007 and quit his job in 2010 to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications.Read Aseem’s Full Bio

Welcome to Help Desk Geek- a blog full of tech tips from trusted tech experts. We have thousands of articles and guides to help you troubleshoot any issue. Our articles have been read over 150 million times since we launched in 2008.

HomeAbout UsEditorial StandardsContact UsTerms of Use

Copyright © 2008-2024 Help Desk Geek.com, LLC All Rights Reserved