Disabling command prompt

i need to disable use of command prompt from my school computers. i have made it so that the students can't get to the command prompt on the computer…. but when they use a note pad, or a batch file going via command.com they gain access to the whole system. i can't figure out how to prevent that, maybe one of you could help me out?

What operating system are you using?

edit the registry

not only does it prevent users from starting cmd but also blocks batch (use 1)

User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] Value Name: DisableCMD Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disabled, 2 = disabled but allow batch)

gives people a

The command prompt has been disabled by your administrator.

Press any key to continue …

message when they boot cmd

thanks man… ur awsome

actually wait a sec

i think the HKEY_CURRENT_USER means its only applying it to you, and i was able to make a batch file

markupcommand.com

to pierce right through the block. idk man this is weird.

k figured out the right patch :D

instead edit

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

this is a command that automatically runs whenever command is booted. so put 'exit' in there, and cmd will exit itself whenever booted even through batch.

im pretty sure this is what theyve done at my school :)

haha ur crazy!

Thx again

yeah np :happy:

DigitalFire wrote: k figured out the right patch :D

instead edit

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

this is a command that automatically runs whenever command is booted. so put 'exit' in there, and cmd will exit itself whenever booted even through batch.

im pretty sure this is what theyve done at my school :)

Hm…couldn't you use command /p to get past this?

eh? not aware of a /p command…

hmm, the command /p would probably work……unless u blocked shortcuts as well, then if one of the students gets past it, then he damn well deserves to have access to the command prompt :angry:

I meant command /p in the .bat.

Couldn't you possibly just delete autorun.nt and disable access to C:\? Unless of course you need to run specific applications that need this ;).

what is this slash p of which you speak? not a command in dos…

/p == pause So it would execute command and then pause the cmd prompt. Then, exit would be issued and the cmd prompt session would be restored, in theory anyways.

i think the exit triggers before the /p, i tried it out anyways in a bat file with "command.com /p"

DigitalFire wrote: gives people a

The command prompt has been disabled by your administrator.

Press any key to continue …

message when they boot cmd

they did that at my school and the way i found to get past it was you just type all the commands into notepad put a pause at the end and save as a .bat then it does all the commands pauses at the end then once you get past the pause it chucks you off.

if your the network admin my advice to you is get friendly with those who are good at computers as if you piss them off they will try probably and succeed at making your job very difficult. (it happened at my school and the network was brought down for a couple of days for "maintenance)

sounds like the best idea so far ;)

the best way to avoid the whole hackers against security conflict is to befriend the hackers, get them working for you

in our middle school they didn't try to befriend the people who were "better" with computers, i wasn't even allowed in the stlp group because the teachers said that she didn't trust me with the computer unsupervised after school. oddly enough, "someone" got into their repair file and took their SAM file. at the high school though they did let the hackers into stlp. and now their network hasn't crashed in 3 years.:D

koolkeith12345 wrote: they did that at my school and the way i found to get past it was you just type all the commands into notepad put a pause at the end and save as a .bat then it does all the commands pauses at the end then once you get past the pause it chucks you off.

doesnt work for me :(

exploit.bat:

cd \
dir
pause

result:

The command prompt has been disabled by your administrator.

Press any key to continue . . .

and anyways, the registry edit for this didnt work for all users on the computer anyways (didnt exist in hkey_users or hkey_localmachine only on current user). my second patch i would trust much more than the first to protect my own network, although i would do both anyways :happy:

and @mcfarlanet true, but for some that takes out the fun :D

as i am going to be a junior next year i have spent countless hours creating batch files and trying to somehow get into the damn win32 folder but all have failed due to: Novell

Even when i did manage to open command prompt after a few seconds the program would recognize it as a process and quickly run a script to disable my method used. I really don't understand why Microsoft didn't for see CMD as being a problem for schools and just have a simple option to disable CMD for non administrators.

If your using a Windows domain, you get set group policy to disable all use of the command prompt for specific OUs.

slpctrl wrote: What operating system are you using? when he says command prompt im sure he means windows (Y)

sparrow wrote: If your using a Windows domain, you get set group policy to disable all use of the command prompt for specific OUs.

I'm not sure specific permissions are the way to go here. You need a little practice in there before you go f*cking with that and messing it up to the point of disaster.

& lol @ DJDotti's reply. :happy:

nights_shadow wrote: I'm not sure specific permissions are the way to go here. You need a little practice in there before you go f*cking with that and messing it up to the point of disaster.

& lol @ DJDotti's reply. :happy:

Specific permissions is a viable option, however, as long as it's done correctly. You can organize the permission types into separate GPOs, and then layer the GPOs onto different OUs of users. I currently do that, and I've found it much easier than just creating multiple different GPOs that all block "most" things. Makes the GPOs easier to maintain, too.

You could also try the registry hack I saw above, where it adds "exit" to the end of the commands but, instead of "exit", you could try "break", which would cancel the current command before it executes. To get around that, though, they could probably just pad their batch file with some trailing BS commands.

So… maybe you could try using GPO to disable viewing and accessing the C drive. Then, just change the permissions on the Desktop and My Documents (and all subfolders) to read-only. That might help to mitigate the problem since, if they can't save the batch file, they can't run it.

[edit]nested quotes problem[/edit]

Zephyr_Pure wrote:

Specific permissions is a viable option, however, as long as it's done correctly. You can organize the permission types into separate GPOs, and then layer the GPOs onto different OUs of users. I currently do that, and I've found it much easier than just creating multiple different GPOs that all block "most" things. Makes the GPOs easier to maintain, too.

You could also try the registry hack I saw above, where it adds "exit" to the end of the commands but, instead of "exit", you could try "break", which would cancel the current command before it executes. To get around that, though, they could probably just pad their batch file with some trailing BS commands.

So… maybe you could try using GPO to disable viewing and accessing the C drive. Then, just change the permissions on the Desktop and My Documents (and all subfolders) to read-only. That might help to mitigate the problem since, if they can't save the batch file, they can't run it.

I think going in there is a great choice. Probably the best to use on a Windows OS. But, i've seen many a strange thing when new people start messing with objects and containers…

nights_shadow wrote: But, i've seen many a strange thing when new people start messing with objects and containers…

Agreed… it's not recommended to try to apply experimental settings in a production environment. Rather, I would create the layered GPOs, create separate OUs to mimic the type of structure that your domain needs, and use test accounts in each OU on a test machine to ensure that the effects are what you are looking to attain.

Zephyr_Pure wrote: Agreed… it's not recommended to try to apply experimental settings in a production environment. Rather, I would create the layered GPOs, create separate OUs to mimic the type of structure that your domain needs, and use test accounts in each OU on a test machine to ensure that the effects are what you are looking to attain.

Couldn't of said it better myself. This is definately the way to go if you want to put the time into it (not insinuating that it takes a lot of time).