+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
How do you do....it? Thread, how to disable command.com ? in Technical; any idea how to do this? have disabled cmd.exe via gpo , but command.com still runs (as one little chappy ...
  1. #1
    pinemarten's Avatar
    Join Date
    Dec 2005
    Posts
    232
    Thank Post
    23
    Thanked 24 Times in 16 Posts
    Rep Power
    28

    how to disable command.com ?

    any idea how to do this?

    have disabled cmd.exe via gpo , but command.com still runs (as one little chappy gleefully pointed out to me today)

    if I delete it from hd's , I guess they can still run it from a pendrive - so any suggestions welcome.

    (w2k server, XPSP1 wkstns)

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: how to disable command.com ?

    change the NTFS permissions

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: how to disable command.com ?

    ..and set command.com as a denied app in GPO

  4. #4
    pinemarten's Avatar
    Join Date
    Dec 2005
    Posts
    232
    Thank Post
    23
    Thanked 24 Times in 16 Posts
    Rep Power
    28

    Re: how to disable command.com ?

    I set it as a denied app in gpo, but it's not a windows app so still runs

  5. #5
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: how to disable command.com ?

    We've done this a while ago, I'll see if i can dig the notes out for it.

  6. #6
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113

    Re: how to disable command.com ?

    just change its file security settings in the relevant section of the computer gpo.

  7. #7

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,240
    Thank Post
    55
    Thanked 278 Times in 186 Posts
    Rep Power
    134

    Re: how to disable command.com ?

    Or you could just rename it - problem is - we found - quite a few old educational type programs won't run without it - Estarters for example and some of the installer programs - so make sure you test it out thoroughly.

  8. #8
    pinemarten's Avatar
    Join Date
    Dec 2005
    Posts
    232
    Thank Post
    23
    Thanked 24 Times in 16 Posts
    Rep Power
    28

    Re: how to disable command.com ?

    thanks for replies - but command.com is a 50k app which can be run from any location, so setting permissions etc on the hd copy doesn't stop 'em bringing it in.

    what can they do with it anyway? (apart from annoying me by mentioning it!)

  9. #9

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,796
    Thank Post
    3,306
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365

    Re: how to disable command.com ?

    look at post below as it wouldnt let me delete this one

  10. #10

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,796
    Thank Post
    3,306
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365

    Re: how to disable command.com ?

    I think I found what you need

    The following table lists the Group Policy Machine settings and associated registry keys for application compatibility. These settings are found in these locations:
    •
    Group Policy Location: MACHINE\Administrative Templates\Windows Components\Application Compatibility
    •
    Registry Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows
    Group Policy Settings for Application Compatibility (Machine)
    Setting Description
    Turn Off Application Compatibility Engine
    Controls the state of the application compatibility engine in the system.
    Turn Off Program Compatibility Wizard
    Controls the state of the Program Compatibility Wizard. When enabled, this setting disables the start page of the wizard in Help and Support, and in the Start menu.
    Remove Program Compatibility Property Page
    Controls the visibility of the Program Compatibility property page shell extension.
    Turn On Application Help Log Events
    Blocks known incompatible applications and displays a dialog to the end-user regarding the problem.
    Prevent access to 16-bit applications
    Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.

    http://technet2.microsoft.com/Window....mspx?mfr=true

    Its near the bottom of the page and it shows you where it is IN GPO

  11. #11
    pinemarten's Avatar
    Join Date
    Dec 2005
    Posts
    232
    Thank Post
    23
    Thanked 24 Times in 16 Posts
    Rep Power
    28

    Re: how to disable command.com ?

    Thanks , gecko - only problem is we're still on W2k server and that setting isn't there

    [edited]

    sorted it - I added this to logon script instead

    CACLS %SystemRoot%\System32\ntvdm.exe /E /D Student

    [edited]

  12. #12
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,527
    Thank Post
    107
    Thanked 89 Times in 75 Posts
    Blog Entries
    46
    Rep Power
    40

    Re: how to disable command.com ?

    does this work?

    Within MMC Group Policy, Click on user configuration, Next click on Administrative Templates, Then click on System. Within system you'll see "Disable the command prompt". Enable that policy.

  13. #13

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,796
    Thank Post
    3,306
    Thanked 1,056 Times in 977 Posts
    Rep Power
    365

    Re: how to disable command.com ?

    Quote Originally Posted by pinemarten
    Thanks , gecko - only problem is we're still on W2k server and that setting isn't there

    [edited]

    sorted it - I added this to logon script instead

    CACLS %SystemRoot%\System32\ntvdm.exe /E /D Student

    [edited]
    did that work and it stopped them from running command.com / cmd etc ?

  14. #14
    pinemarten's Avatar
    Join Date
    Dec 2005
    Posts
    232
    Thank Post
    23
    Thanked 24 Times in 16 Posts
    Rep Power
    28

    Re: how to disable command.com ?

    @Browolf;
    Within MMC Group Policy, Click on user configuration, Next click on Administrative Templates, Then click on System. Within system you'll see "Disable the command prompt". Enable that policy.
    yeah, did that, only works for cmd.exe

    @gecko;
    yes, it seems to have worked ok (ntvdm.exe controls the 16 bit processes so denying access stops it running for the denied group.)
    I wondered if it might stop the logon.bat from running , but seems ok - I am monitoring the system for any other undesirable effects , but none so far....

  15. #15
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62

    Re: how to disable command.com ?

    Sorry to pick this thread up again but we recently had this problem not with users running on the PC but on pendrives, solved the problem this way:

    Within our Student GPO: User Config -> Windows Settings -> Security Settings ->Software restriction Policies -> Additional Rules

    Path rule
    A path rule identifies programs by their file path. For example, if you have a computer that has a Disallowed default policy, you can still grant unrestricted access to a specific folder for each user. Some common paths for this type of rule would be %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%.

    Since these rules are specified by path, if a program is moved, then the path rule will no longer apply.

    AND

    Hash rule
    A hash is a series of bytes with a fixed length that uniquely identifies a program or file. The hash is computed by a hash algorithm. Software restriction policies can identify files by their hash, using both the SHA-1 (Secure Hash Algorithm) and the MD5 hash algorithm.

    For example, you can create a hash rule and set the security level to Disallow to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any tampering with the file will change its hash value and allow it to bypass restrictions.

    Software restriction policies will only recognize hashes that have been calculated using software restriction policies.

    with both of these in place even if the file is on the USB it is still stopped from running.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Blocking Command.com
    By Jamie_a in forum Windows
    Replies: 12
    Last Post: 11th October 2007, 09:31 AM
  2. Command Line ISO Creator
    By russdev in forum Windows
    Replies: 1
    Last Post: 27th September 2007, 08:04 PM
  3. Replies: 1
    Last Post: 10th September 2007, 12:42 PM
  4. Running Win Updates as command?
    By donkeykong in forum How do you do....it?
    Replies: 2
    Last Post: 21st June 2007, 11:42 AM
  5. Command LIne
    By wesleyw in forum Windows
    Replies: 4
    Last Post: 12th October 2006, 11:10 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •