How I could add Additional Rules in Software Restriction Policies with cmd using a script that'll work with both Windows 7 and Windows Vista.

I would like to create some path rules with security level set to "Disallowed".

Below are a few lines I'd like to incorporate into this script:

C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe
Chrome.exe
chrome_installer.exe
Gears-chrome-opt.msi
GoogleUpdate.exe

Solution 1:

So you need to way to disallow certain executable files from being run for each user signed onto a PC for Windows 7 and/or Windows Vista, and you need to implement it via CMD fashion to apply locally at the machine level.


Instructions and Detail

See How to Block an Application or .EXE from Running in Windows and from some information as listed there, I've created the below batch script that can be run to "Disallow" these executables from being executed from that user account.

If you need to scale this CMD method to add further executable file names than the four you provided, you simply move up sequentially to the next number and then plug in the executable name as in the below example for instance:

ECHO "3"="Gears-chrome-opt.msi"              >> "%TmpRegFile%"
ECHO "4"="GoogleUpdate.exe"                  >> "%TmpRegFile%"
ECHO "5"="App5toBlock.exe"                   >> "%TmpRegFile%"
ECHO "6"="App6toBlock.msi"                   >> "%TmpRegFile%"

See How to Block an Application or .EXE from Running in Windows for further explanation.


You might consider testing and replacing HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE in the below script to lock down disallowing these executable files from being run at the entire PC level rather than the user account that's signed on when the script is run.

You may also need to run the batch script as an administrator as well or the REG IMPORT command could get an access denied message when it tries to update the registry. You can copy and paste all of the below into CMD directly as well but don't paste in the last line of EXIT /B so the screen buffer text stays up.


Batch Script

I used TASKKILL commands in the below script to forcefully kill all instances of the same executable file names to disallow with the registry import. If any are running in memory on the machine when this runs then they will be killed; scale applicable logic as needed to add further processes to kill.

The Windows Explorer Shell needs to be killed and restarted in memory before these settings become effective. Doing a complete power cycle of the machine would do the trick, and potentially logging on and right back on may work. I used WMIC to refresh Windows Explorer with a WHERE clause and CALLing TERMINATE as it restarts it.

@ECHO OFF

SET TmpRegFile=%temp%\~DisallowExe.reg
IF EXIST "%TmpRegFile%" DEL /Q /F "%TmpRegFile%"

ECHO Windows Registry Editor Version 5.00  >> "%TmpRegFile%"
ECHO.                                      >> "%TmpRegFile%"
ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]             >> "%TmpRegFile%"
ECHO "DisallowRun"=dword:00000001                                                                >> "%TmpRegFile%"
ECHO [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] >> "%TmpRegFile%"
ECHO "1"="Chrome.exe"                        >> "%TmpRegFile%"
ECHO "2"="chrome_installer.exe"              >> "%TmpRegFile%"
ECHO "3"="Gears-chrome-opt.msi"              >> "%TmpRegFile%"
ECHO "4"="GoogleUpdate.exe"                  >> "%TmpRegFile%"

TASKKILL /F /IM "Chrome.exe"
TASKKILL /F /IM "chrome_installer.exe"
TASKKILL /F /IM "Gears-chrome-opt.msi"
TASKKILL /F /IM "GoogleUpdate.exe"

REG IMPORT "%TmpRegFile%"
PING -n 05 127.0.0.1 > nil
WMIC PROCESS WHERE "Caption = 'explorer.exe'" CALL TERMINATE

EXIT /B

Further Resources

  • REG.exe
  • WMIC
  • TASKKILL