Prevent Access to the Command Prompt in Windows

The Windows Command Prompt is a robust solution for administrators to quickly and easily keep a system up and running smoothly. It’s rare that the average user has a use for the Command Prompt.

Rather than invite temptation, many administrators prevent access to the Command Prompt to discourage users from troubleshooting computer errors and poking around where they can compromise the integrity of a system.

The Windows Command Prompt

The Windows Command Prompt (sometimes called the DOS prompt) is a tool that allows administrators to create batch functions, troubleshoot computer errors, and invoke system-wide commands to make administration easier and more efficient. The average user has little use for this tool.

The Web is filled with advice on how to fix errors on a Windows-based PC. Some users take it upon themselves to troubleshoot and fix their own errors rather than waiting for a professional.

Some administrators make it easy on themselves and prevent user access to the Command Prompt instead of disallowing certain functions on a function-by-function basis. Preventing access to the Command Prompt is a quick way to ensure that users don’t go poking around in areas they shouldn’t be poking around in.

Disable Windows Command Prompt via Group Policy

Note: This method described below will work on Windows Vista, Windows 7, and Windows 8/10, but it will not work for the Home or Starter editions since they do not include support for Group Policy editing. For those cases, you can use the registry method mentioned below. 

Log in to Windows using an account that has administrative privileges. Click on Start>Run to open the Run dialogue box. If you don’t see the Run command on your Start menu, hold down the Windows key on your keyboard and press the R key. In the Run box, type in gpedit.msc and click the OK button.

In the Local Group Policy Editor window’s left pane, open the folder located at User Configuration>Administrative Templates>System. Make sure to click on the System folder rather than expanding it.

In the right hand pane, locate and double click on an entry labeled Prevent Access to the Command Prompt.

You should now be looking at the Prevent Access to the Command Prompt window. Like most installations of Windows , this setting should be set to the Not Configured option. Click on the Enabled option and click the OK button.

Close all other open windows and you are done. You do not have to restart your computer for the setting to take effect. All users of the PC are now denied access to the Command Prompt.

Disable Access to Command Prompt via Registry

If you don’t have access to Group Policy settings, you can manually go into the registry and disable the command prompt. To do this, you should first make sure to backup the registry in case something goes wrong.

Go ahead and open the registry editor by clicking on Start and typing in regedit. Navigate to the following path:

You’ll see a couple of keys under the Windows key, but probably not System. If there is no System key under Windows, you have to create it. You can do that by right-clicking on Windows and choosing NewKey.

Name the key System, select it, and then right-click in the right-hand pane and choose NewDWORD (32-bit) Value.

Name the value DisableCMD and press Enter. Then double-click on it to edit it, choose Decimal and give it a value of 2. That means to disable the command prompt only. A value of 0 will enable the command prompt and a value of 1 will disable the command prompt and prevent scripts from running.

The change should take effect immediately. If you try to open the command prompt, it will appear, but with the following message:

Although the Command Prompt is a useful administrative tool, few casual users of Windows 7 have use for it. Rather than deny access to features of the operating system on a function-by-function basis, many administrators prefer to prevent access to the Command Prompt by using one of the methods above. Enjoy!