How to Disable Command Prompt in Windows

The Command Prompt is one of the advanced tools you get in Windows which emulates MS-DOS command line abilities to perform various actions like advanced administrative tasks, manipulating the entire operating system and its programs, executing batch files, troubleshooting Windows issues, etc. In good hands, the Command Prompt can do a lot of advanced stuff on your Windows computer. But if you are a system administrator and don’t want your users to mess around with the Command Prompt, you are better off disabling this feature entirely.

To disable the Windows Command Prompt, you can either use the regular Windows Registry Editor or the Group Policy Editor. If you have access to the Group Policy Editor, then use it to achieve the task as it will be easy to manage it later. Here I am listing both the processes. Use the one you prefer.

Using Group Policy Editor

To disable the command prompt using the Group Policy editor, press Win + R, type gpedit.msc and press the Enter button. This action will open the Windows Group Policy Editor.


Here, navigate to the Policy “User Configuration -> Administrative Templates -> System” and double-click on the option “Prevent access to the command prompt” located in the right pane.


This action will open the policy settings window. Here select the radio button “Enabled” and click on the “Ok” button to save the changes. Now, if you also want to disable the script execution, then select the option “Yes” from the drop-down menu next to “Disable command prompt script processing also” under “Options.”


Once you are done with the configurations, the change is immediate. In fact, open up the command prompt and you will see a message something like “The command prompt has been disabled by your administrator.” Since the change is universal, even the administrator is locked out of the command prompt. Pressing any key after the message will just exit the command prompt window by default.


If you ever want to re-enable the command prompt, just reverse the process by selecting either of the radio buttons “Not configured” or “Disabled” and you are good to go.

Using Registry Editor

Note: before playing with the Windows Registry Editor, please back it up as a precaution.

If you don’t have access to the Group Policy Editor, then you can achieve the same using Windows Registry Editor. First, press Win + R, type regedit and press the Enter button to open Windows Registry Editor.


Once opened, navigate to the following keys. If you cannot find the keys “Windows” or “System” then create them. As you can see from the image, the default value for “DisableCMD” has been set to “0,” which simply means that the command prompt is enabled for all users.


Now, double click on the key “DisableCMD” and enter the Value Data as “2” and click on the “Ok” button to save the changes. If you also want to disable the script execution, enter the Value Data as “1.” Again, if there is no specified value, then just create a new DWORD value with the name “DisableCMD” and enter the value data as required.


That’s all there is to do. You have successfully disabled the command prompt and script execution in Windows with just a simple registry hack. If you ever want to roll back the changes, just change the Value Data back to “0” and you are good to go.


Hopefully that helps, and do comment below sharing your thoughts and experiences on using this simple tweak to disable the command prompt in your Windows operating system.

Vamsi Krishna Vamsi Krishna

Vamsi is a tech and WordPress geek who enjoys writing how-to guides and messing with his computer and software in general. When not writing for MTE, he writes for he shares tips, tricks, and lifehacks on his own blog Stugon.


  1. In both examples you started with the command prompt. If the command prompt is disabled, how to run gpedit or regedit to reverse disabling the command prompt?

  2. Your theory is flawed. The average Windows user is unaware that the CP is even there, and those who do know about it see it as some forbidden land that they should stay out of. I’ve never heard of someone “accidentally” using the command prompt and screwing something up. Certaily never any place I’ve been a sysadmin. My experience is that most people start calling IT when a web page won’t load.

    1. The problem with having this enable is not necessarily users. If some attacker hits that machine they can do damage much faster with command prompt, powershell, SSH client, ect… It is good security practice to have users locked down to use only the tasks they need and not the ones they simply want.

    2. People can use the CMD to access your many information in less than 2 minutes if allowed on your laptop. So its best to disable if you don’t use it and don’t want any intrusion.

  3. In response to Jon’s comments above, the examples shown did not use the command prompt to disable the command prompt!
    Rather both the regedit and the gpedit were accessed through the run command.

Comments are closed.