The Command Prompt is one of the advanced tools you get in Windows which emulates MS-DOS command line abilities to perform various actions like advanced administrative tasks, manipulating the entire operating system and its programs, executing batch files, troubleshooting Windows issues, etc. In good hands, the Command Prompt can do a lot of advanced stuff on your Windows computer. But if you are a system administrator and don’t want your users to mess around with the Command Prompt, you are better off disabling this feature entirely.
To disable the Windows Command Prompt, you can either use the regular Windows Registry Editor or the Group Policy Editor. If you have access to the Group Policy Editor, then use it to achieve the task as it will be easy to manage it later. Here I am listing both the processes. Use the one you prefer.
Using Group Policy Editor
To disable the command prompt using the Group Policy editor, press “Win + R”, type
gpedit.msc and press the Enter button. This action will open the Windows Group Policy Editor.
Here, navigate to the Policy “User Configuration -> Administrative Templates -> System” and double-click on the option “Prevent access to the command prompt” located in the right pane.
This action will open the policy settings window. Here select the radio button “Enabled” and click on the “Ok” button to save the changes. Now, if you also want to disable the script execution, then select the option “Yes” from the drop-down menu next to “Disable command prompt script processing also” under “Options.”
Once you are done with the configurations, the change is immediate. In fact, open up the command prompt and you will see a message something like “The command prompt has been disabled by your administrator.” Since the change is universal, even the administrator is locked out of the command prompt. Pressing any key after the message will just exit the command prompt window by default.
If you ever want to re-enable the command prompt, just reverse the process by selecting either of the radio buttons “Not configured” or “Disabled” and you are good to go.
Using Registry Editor
Note: before playing with the Windows Registry Editor, please back it up as a precaution.
If you don’t have access to the Group Policy Editor, then you can achieve the same using Windows Registry Editor. First, press “Win + R,” type
regedit and press the Enter button to open Windows Registry Editor.
Once opened, navigate to the following keys. If you cannot find the keys “Windows” or “System” then create them. As you can see from the image, the default value for “DisableCMD” has been set to “0,” which simply means that the command prompt is enabled for all users.
Now, double click on the key “DisableCMD” and enter the Value Data as “2” and click on the “Ok” button to save the changes. If you also want to disable the script execution, enter the Value Data as “1.” Again, if there is no specified value, then just create a new DWORD value with the name “DisableCMD” and enter the value data as required.
That’s all there is to do. You have successfully disabled the command prompt and script execution in Windows with just a simple registry hack. If you ever want to roll back the changes, just change the Value Data back to “0” and you are good to go.
On the other hand, if you want more granular control over the other applications, you can use AppLocker to achieve the task.
Hopefully that helps, and do comment below sharing your thoughts and experiences on using this simple tweak to disable the command prompt in your Windows operating system.