This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 44%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEC%3C/text%3E%3C/svg%3E)
How to begin with?
I have tried with a GPO with the following Computer and User Configuration settings:
Application Whitelist> Policies> Windows Settings> Security Settings> Software Restriction Policies/Additional Rules
Set C:\TEST with Disallowed Security Level
This is to test if a program installed in C:\TEST drive will be blocked.
I get this from gpresult /r
Application Whitelist
Filtering: Denied (Security)
Default Domain Policy
MapDrives
AllPrinters
Office Macros
Application Whitelist
But still I can run a program installed in C:\TEST.
What am I missing?
Looking for a solution to block a program installed on other drives or location.
Thank you
Hi EmCatimbang-8232,
If you want to block programs from running on your system/network, you can easily create a Group Policy Object (GPO) to make that happen.
This is the traditional way of blocking software and it has limited performance as we explain below:
1) Launch REGEDIT
2) Expand USER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM
3) Double click on DON’T TUN SPECIFIED WINDOWS APPLICATIONS
4) Click ENABLE
5) Click the SHOW button
6) Type in the file name you want to block
This method should allow you to achieve what you're looking for. However, the problems with this method are:
This method only works per user and not per machine.
You can only use filenames, no paths, hashes or certificates. Think about what that means for UPDATE.EXE which you likely have 20 of for 20 different programs on your computer… not good.
This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
--If the reply is helpful, please Upvote and Accept as answer--
Thank you for the response, yes I reckon that is how we usually do it.
My question is, what if a user already installed a program outside the usual install location (C:\Programs Files, C:\Program files (x86), C:\Windows ...)
Like if a user created a personal folder in C:\ where he installed the program. Is there anyway, I can disallow programs outside the usual install location?
or I can only block programs through specific path and filenames (.exe)?
Appreciate your help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
1) Launch REGEDIT
You mean GPEDIT.MSC?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 70%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
HMM, I noticed that too....
Windows Tools can be numerous.