Restricting non-administrative users from running the console is an efficient way to establish or reinforce a controlled environment. If you have administrator access and want to disable the Command Prompt, this guide will walk you through the process and provide additional insights on enforcing security policies.
Command Prompt is a powerful tool used for executing various administrative and troubleshooting tasks through text-based commands.
Methods to disable the Command Prompt
There are two ways to restrict end-users from opening the Command Prompt console. These programs are:
✔️ Using Local Group Policy Editor
✔️ Using the Registry Editor
The Windows Registry is available on all Windows devices, but editing its values can damage the system if executed poorly. We advise creating a backup and restore point for the Windows Registry before proceeding.
On the other hand, while the Local Group Policy (GPO) is less risky, it’s only available for Windows Pro, Enterprise, and Education editions. With that in mind, check out the steps below to get started.
Option 1: Using Local Group Policy Editor (recommended)
- Press Win + R, type “gpedit.msc” in the dialog box, and tap OK.
- In the Local Group Policy Editor, navigate to User Configuration → Administrative Templates → System.
- Find the Prevent access to the command prompt policy, double-click it, and set it to Enabled.
🥷 Tip: (Optional) After enabling the policy, you’ll also find the Disable the command prompt script processing policy. Enforcing this policy will prevent users from running batch files to bypass the Command Prompt restriction.
Option 2: Using the Registry Editor (For advanced users)
- Press Win + R, type “regedit” in the dialog box, and tap OK to open the Registry Editor.
- Navigate to or paste this directory in the Registry’s address bar:
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- If the System key isn’t under Windows, right-click on Windows, select New → Key, and name it System. Otherwise, click System to proceed.
- In System, select New → DWORD (32-bit) Value, and name it DisableCMD.
- Double-click DisableCMD and set the value to:
- 1 → Disables the Command Prompt and .bat and .cmd scripts
- 2 → Disables the Command Prompt
Alternative or complementary security measures to consider
Disabling the Command Prompt is a good base for reinforcing control access for non-administrative users, but that alone may not be enough to limit unauthorized scripts being run in other consoles (e.g., PowerShell).
Here are some additional security layers to consider.
Restricting PowerShell access using Local Group Policy
You should consider blocking unauthorized access to PowerShell since the console can run many command-line and more powerful utilities similar to those in the Command Prompt. Additionally, some users may use it to bypass restrictions applied to the Command Prompt.
On that note, here are the steps to disable PowerShell from the Local Group Policy:
- Press Win + R, type “gpedit.msc” in the dialog box, and tap OK.
- Go to User Configuration → Administrative Templates → System.
- Find the Don’t run specified Windows applications policy and double-click on it.
- Then, navigate to Options, click Show, and type powershell.exe under the Value selection.
- Click OK, then Apply to confirm the changes.
You can also consider adding powershell_ise.exe (PowerShell ISE interface) and pwsh.exe (PowerShell 7) in the Value column to prevent users from bypassing the restrictions.
Using AppLocker to block unauthorized script execution
Windows’ built-in AppLocker also has its own effective parameters for preventing unauthorized scripts and batch files. However, just keep in mind that AppLocker alone will not prevent some scripts from running in PowerShell Constrained Language mode.
As such, it’s advisable to block PowerShell and the Command Prompt altogether if the user’s machine doesn’t need the functionalities.
Enabling User Account Control (UAC) to limit command execution permissions
Configuring UAC to restrict a standard user account is another excellent way to champion a secure environment.
Essentially, users who don’t have elevated privileges will be prompted whenever they try to access a restricted program. The administrators will be notified, or the user will have to ask for clearance before they can proceed.
Troubleshooting common issues when enabling or disabling the Command Prompt
While disabling the console is not a complicated process on its own, some minor challenges and considerations are prone to being overlooked. Here are some basic troubleshooting to fall back on if you encounter an error.
Error: Cannot open Group Policy Editor (gpedit.msc not found)
Local Group Policy Editor is only available on the following editions of Windows:
- Pro
- Education
- Enterprise
If your device is running on Windows Home, you may use the Registry Editor instead.
Error: Command Prompt is still accessible via PowerShell
Some users may bypass the Command Prompt restriction by prefixing commands in PowerShell. Additionally, many commands and utilities in the Command Prompt can be run or have an equivalent that can be executed in PowerShell. Because of that, IT administrators tend to restrict PowerShell and the Command Prompt when limiting user access.
Error: Need to re-enable the Command Prompt
You can re-enable the Command Prompt by setting the Prevent access to the command prompt policy to Not configured or disabled. If you previously used the Windows Registry to set the restrictions, you can delete the System key if it doesn’t contain any other value.
You may also revert the DisableCMD DWORD value to 0 to fully re-enable the Command Prompt.
Enabling or disabling the Command Prompt FAQs
Does disabling cmd.exe affect system performance?
Disabling the Command Prompt will not affect system performance. It will only limit non-administrative users’ ability to run commands in the console.
Can administrators still access the Command Prompt?
No. Administrators will also be locked out from accessing the Command Prompt on this device. Only the system will be able to run the necessary scripts using this console.
Will disabling cmd.exe affect batch files and scripts?
There are plenty of closely related queries like “How do I disable CMD .bat?” or “How do I disable command prompt script processing?” to this topic, but to clarify, disabling the Command Prompt will not block batch files unless you enforce this policy simultaneously.
Look for the Disable the command prompt script processing policy to manage this option.
Does disabling the Command Prompt also block PowerShell?
No, PowerShell must be disabled separately. Look for the additional tips under Additional security measures to see how you can block users from accessing PowerShell.
Final thoughts on disabling the Command Prompt in Windows 10
Electing to disable command prompt script processing is a good baseline for establishing a secure IT environment. However, this policy alone may not be enough to discourage rogue users from working around the restrictions. As a result, you may consider disabling PowerShell to fill in the gaps.
Once you’re set on having the Command Prompt console disabled, you can use the Registry Editor or the GPO to enforce the new policy. In most cases, we recommend the latter if you have a device on Windows Pro, Enterprise, and Education editions. Otherwise, Home users may edit the Windows Registry with safety precautions well in place.
