Block Access to Command Prompt

No batch file scripts, no commands, no trouble

By on January 10th, 2007 15:19 GMT
The command prompt is an important component of the operating system. It has been present since the first versions of Windows and it still lives under the new Windows Vista. As I mentioned in other articles, commands ran from the command prompt can do amazing things especially for the inexperienced users that are not familiar with them.

These commands have rough force and form, at the same time not being so user friendly but they do their job if proper handled. If an advanced computer user gets in front of your PC when you are not around, you might get in trouble. No need to install applications or other stuff to mess with your computer. He can simply do it using commands ran from the command prompt.

With the command prompt activated (the command prompt is activated by default in Windows), malicious batch scripts can be run which can endanger the normal life of your computer and operating system.

All these being said, some more cautious users may see in disabling the command prompt one of the mandatory steps to protect a personal computer. Of course this is true unless you are not a frequent user of the command prompt facilities. If you run batch scripts or use the Terminal Services, disabling this Windows feature is not recommended.

How to disable the command prompt

For Windows XP Professional

Windows XP Professional comes with a useful tool called Group Policy Editor (GPEDIT.msc) which permits to set some restrictions and one of this is exactly the one that concerns us.

Hence, go to Start > Run and type gpedit.msc. Then go to:
User Configuration > Administrative Templates > System > Find Prevent Access To The Command Prompt. Right click on it, select Properties and click Disable. Then OK, and restart your computer.

With this option, you disable the access to the command prompt for all the users including the administrator.

For Windows XP Home Edition

Because Windows XP Home Edition does not provide the Group Policy Editor, we need to edit the registry.

Browse the following registry path:

HKEY_CURRENT_USER > Software > Policies > Microsoft > Windows > System

There, in the right panel you have the DWORD value DisableCMD. Giving it the value 0x00000001 you will disable the command prompt. To enable it back, just change the value to
0x00000002.


Review image

Review image

Review image


With this method, you will prevent access to the command prompt just for the logged user. It won't affect the other user accounts.

2 Comments