Restrict users from running certain .exe files

[ttlwh]

As an Adminstrator I need to stop users from running software such as Winamp on standalone laptops with Windows 2000 Pro OS, I've used a Registry edit (RestrictRun within the HKEY_CURRENT_USER hive) to list all .exe files that the users CAN run. The problem is that if a certain .exe needs adding/removing from what the users can access I need to run another Registry edit to update the list, however, I've also had to clampdown on the user running the cmd prompt and accessing registry editing tools (both these clampdowns were set in the registry). As such a batch file at login would not run due to the restrictions in place.

I've thought about creating a Service to run as LocalSystem to call a cmd window with a registry merge to complete the registry change but obviously this would not make the edit for the correct Current User hive; this is due to when the Service is started the current user would be the LocalSystem not the user that needs the .exe file restriction.

Making the change to the HKEY_USERS hive only affects the default profile for the first logon of the user, it would not affect the registry for users that have already logged onto Windows.

Is there any method of having a central source for all .exe files within the laptops registry that can be accessed and having each user access this list at logon so that files can be added/removed at will by the administrator?

 

[aftertaf]

if you have active directory, you can do this very simply with Group Policy.

Aftertaf

getting quite good at sorting out Windows problems...
An expert when it comes to crashing Linux distributions (mdk, debian - nothing withstands me)

 

[ttlwh]

Unfortunatley I don't have access to Active Directory.

 

[aftertaf]

you dont have access.... do you mean you aren't admin, or that you dont have a 2000/2003 domain in place?

Aftertaf

getting quite good at sorting out Windows problems...
An expert when it comes to crashing Linux distributions (mdk, debian - nothing withstands me)

 

[ttlwh]

There's no 2000 domain as I'm administrating standalone laptops.

 

[aftertaf]

then you have a tool on w2k, but you'll have to do it pc by pc...
there is a way to export and import, but my head's on a bit backwards today (likely excuse)..

Use Local Computer Policy!!

i.e.
Start>Run>mmc
and add the group policy snapin...
then
go to Local Computer Policy / User Config. / Admin Templates / System:
you have 2 policies here.
-Run only allowed &
-Don't run specified Windows Apps.


Aftertaf

getting quite good at sorting out Windows problems...
An expert when it comes to crashing Linux distributions (mdk, debian - nothing withstands me)

 

[ttlwh]

thanks aftertaf, I've looked at the same method before but I have nearly 450 .exe names that I need to allow - how can I automate this entry into the Local Computer Policy?

Thanks for your help so far, appreciated.

 

[aftertaf]

just added to my local policy non-allowed exe files called notallowed.exe & forbidden.exe, for testing.

then with regedit i found them here.....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
a string called 1 with "forbidden.exe"
a string called 2 with "notallowed.exe"

set this up on one machine and use the export facility of regedit to apply it as a logon script to each machine

Aftertaf

getting quite good at sorting out Windows problems...
An expert when it comes to crashing Linux distributions (mdk, debian - nothing withstands me)

 

[ttlwh]

the problem is that registry editing tools have been disabled (within the registry) for each normal user so a login script which attempts to access the registry will get blocked.