This article provides step-by-step instructions on how to disable the Command Prompt (cmd.exe).
The Command Prompt is a powerful tool for managing and configuring the Windows operating system. However, if necessary, you can disable its use to enhance security and prevent users from running command-line scripts and batch files (.CMD and .BAT). You can achieve this by using the Local Group Policy Editor (gpedit.msc) or by modifying the Windows Registry Editor.
How to Disable the Command Prompt Using the Local Group Policy Editor (gpedit.msc)
To disable the Command Prompt and prevent batch script execution, open the Local Group Policy Editor by pressing Win + R, typing gpedit.msc in the Run dialog, and pressing Enter ↵. Alternatively, use Windows Search to find and open gpedit.msc.
In the Local Group Policy Editor window, navigate to the following path:
User Configuration ➯ Administrative Templates ➯ System
Then, in the right pane, double-click on the policy setting named Prevent access to the command prompt.
In the Prevent access to the command prompt window, change the toggle from Not Configured to Enabled. Then, in the dropdown menu Disable the command prompt script processing also?, select Yes and click OK.
Now, when attempting to open the command prompt or execute a batch (.CMD or .BAT) file, you will see a command prompt window with the message:
“The command prompt has been disabled by your administrator. Press any key to continue . . .”
How to Disable the Command Prompt Using the Registry Editor
This method is suitable for all editions of the Windows operating system. Before making any changes to the registry, it is recommended to create a restore point or export the specific registry section that will be modified.
Open the Registry Editor by pressing Win + R, typing regedit in the Run dialog box, and pressing Enter ↵, or use the Windows search function to find and open it.
In the Registry Editor window, navigate to the following path:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
If the System key does not exist, create it.
Next, right-click on the System key or right-click on an empty space in the right panel, then select New > DWORD (32-bit) Value from the context menu. Name the newly created value DisableCMD.
Then, double-click on the DisableCMD parameter, set its value to 1, and click OK.
To allow the use of the command prompt, delete the DisableCMD parameter.
Additionally, to disable the command prompt, create and apply a registry file with the following content:
Windows Registry Editor Version 5.00.
[HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System].
“DisableCMD”=dword:00000001
To undo the changes and allow the use of the command prompt, create and apply a registry file with the following content:
Windows Registry Editor Version 5.00.
[HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System].
“DisableCMD”=-
It is also important to note that disabling the command prompt and blocking batch file execution on a computer may not be advisable if login, logout, startup, or shutdown scripts are in use, as well as for users who rely on Remote Desktop Services.
