Restricting non-administrative users from running the console is an efficient way to establish or reinforce a controlled environment. If you have administrator access and want to disable the Command Prompt, this guide will walk you through the process and provide additional insights on enforcing security policies.
Command Prompt is a powerful tool used for executing various administrative and troubleshooting tasks through text-based commands.
Methods to disable the Command Prompt
There are two ways to restrict end-users from opening the Command Prompt console. These programs are:
✔️ Using Local Group Policy Editor
✔️ Using the Registry Editor
The Windows Registry is available on all Windows devices, but editing its values can damage the system if executed poorly. We advise creating a backup and restore point for the Windows Registry before proceeding.
On the other hand, while the Local Group Policy (GPO) is less risky, it’s only available for Windows Pro, Enterprise, and Education editions. With that in mind, check out the steps below to get started.
Option 1: Using Local Group Policy Editor (recommended)
- Press Win + R, type “gpedit.msc” in the dialog box, and tap OK.
- In the Local Group Policy Editor, navigate to User Configuration → Administrative Templates → System.
- Find the Prevent access to the command prompt policy, double-click it, and set it to Enabled.
🥷 Tip: (Optional) After enabling the policy, you’ll also find the Disable the command prompt script processing policy. Enforcing this policy will prevent users from running batch files to bypass the Command Prompt restriction.
Option 2: Using the Registry Editor (For advanced users)
- Press Win + R, type “regedit” in the dialog box, and tap OK to open the Registry Editor.
- Navigate to or paste this directory in the Registry’s address bar:
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- If the System key isn’t under Windows, right-click on Windows, select New → Key, and name it System. Otherwise, click System to proceed.
- In System, select New → DWORD (32-bit) Value, and name it DisableCMD.
- Double-click DisableCMD and set the value to:
- 1 → Disables the Command Prompt and .bat and .cmd scripts
- 2 → Disables the Command Prompt
Alternative or complementary security measures to consider
Disabling the Command Prompt is a good base for reinforcing control access for non-administrative users, but that alone may not be enough to limit unauthorized scripts being run in other consoles (e.g., PowerShell).
Here are some additional security layers to consider.
Restricting PowerShell access using Local Group Policy
You should consider blocking unauthorized access to PowerShell since the console can run many command-line and more powerful utilities similar to those in the Command Prompt. Additionally, some users may use it to bypass restrictions applied to the Command Prompt.
On that note, here are the steps to disable PowerShell from the Local Group Policy:
- Press Win + R, type “gpedit.msc” in the dialog box, and tap OK.
- Go to User Configuration → Administrative Templates → System.
- Find the Don’t run specified Windows applications policy and double-click on it.
- Then, navigate to Options, click Show, and type powershell.exe under the Value selection.
- Click OK, then Apply to confirm the changes.
You can also consider adding powershell_ise.exe (PowerShell ISE interface) and pwsh.exe (PowerShell 7) in the Value column to prevent users from bypassing the restrictions.
Using AppLocker to block unauthorized script execution
Windows’ built-in AppLocker also has its own effective parameters for preventing unauthorized scripts and batch files. However, just keep in mind that AppLocker alone will not prevent some scripts from running in PowerShell Constrained Language mode.
As such, it’s advisable to block PowerShell and the Command Prompt altogether if the user’s machine doesn’t need the functionalities.
Enabling User Account Control (UAC) to limit command execution permissions
Configuring UAC to restrict a standard user account is another excellent way to champion a secure environment.
Essentially, users who don’t have elevated privileges will be prompted whenever they try to access a restricted program. The administrators will be notified, or the user will have to ask for clearance before they can proceed.
Troubleshooting common issues when enabling or disabling the Command Prompt
While disabling the console is not a complicated process on its own, some minor challenges and considerations are prone to being overlooked. Here are some basic troubleshooting to fall back on if you encounter an error.
Error: Cannot open Group Policy Editor (gpedit.msc not found)
Local Group Policy Editor is only available on the following editions of Windows:
- Pro
- Education
- Enterprise
If your device is running on Windows Home, you may use the Registry Editor instead.
Error: Command Prompt is still accessible via PowerShell
Some users may bypass the Command Prompt restriction by prefixing commands in PowerShell. Additionally, many commands and utilities in the Command Prompt can be run or have an equivalent that can be executed in PowerShell. Because of that, IT administrators tend to restrict PowerShell and the Command Prompt when limiting user access.
Error: Need to re-enable the Command Prompt
You can re-enable the Command Prompt by setting the Prevent access to the command prompt policy to Not configured or disabled. If you previously used the Windows Registry to set the restrictions, you can delete the System key if it doesn’t contain any other value.
You may also revert the DisableCMD DWORD value to 0 to fully re-enable the Command Prompt.
Enabling or disabling the Command Prompt FAQs
Does disabling cmd.exe affect system performance?
Disabling the Command Prompt will not affect system performance. It will only limit non-administrative users’ ability to run commands in the console.
Can administrators still access the Command Prompt?
No. Administrators will also be locked out from accessing the Command Prompt on this device. Only the system will be able to run the necessary scripts using this console.
Will disabling cmd.exe affect batch files and scripts?
There are plenty of closely related queries like “How do I disable CMD .bat?” or “How do I disable command prompt script processing?” to this topic, but to clarify, disabling the Command Prompt will not block batch files unless you enforce this policy simultaneously.
Look for the Disable the command prompt script processing policy to manage this option.
Does disabling the Command Prompt also block PowerShell?
No, PowerShell must be disabled separately. Look for the additional tips under Additional security measures to see how you can block users from accessing PowerShell.
Final thoughts on disabling the Command Prompt in Windows 10
Electing to disable command prompt script processing is a good baseline for establishing a secure IT environment. However, this policy alone may not be enough to discourage rogue users from working around the restrictions. As a result, you may consider disabling PowerShell to fill in the gaps.
Once you’re set on having the Command Prompt console disabled, you can use the Registry Editor or the GPO to enforce the new policy. In most cases, we recommend the latter if you have a device on Windows Pro, Enterprise, and Education editions. Otherwise, Home users may edit the Windows Registry with safety precautions well in place.
(Image credit: Mauro Huculak)
Although, on Windows 11 (and 10), the Command Prompt console is a useful tool to quickly execute commands to change system settings, run non-graphical applications, troubleshoot problems, and automate tasks, sometimes, it might be necessary to disable the console to prevent users from running unwanted commands, accessing certain programs, or when you have to comply with your organization security policies.
If you must restrict access to the Command Prompt, Windows 10 (and 11) includes at least two ways to disable the console, using the Group Policy Editor or Registry Editor. (The user will still be able to launch the Windows Terminal, but the Command Prompt shell won’t work.)
In this how-to guide, I will explain two ways to disable the Command Prompt console for all users.
Warning: This is a friendly reminder that editing the Registry is risky, and if you do not complete the task correctly, it can cause irreversible damage to your installation. It is recommended that you make a full backup of the device before proceeding.
How to disable Command Prompt with Group Policy
On Windows 10 (or 11) Pro, Enterprise, and Education, the easiest way to block users from using Command Prompt is with the Local Group Policy Editor.
To disable the Command Prompt shell on Windows, use these steps:
- Open Start.
- Search for gpedit.msc and select the top result to open the Local Group Policy Editor.
- Browse the following path: User Configuration > Administrative Templates > System
- On the right side, double-click the Prevent access to the command prompt policy.
- Select the Enabled option.
- (Optional) Under the «Options» section, use the drop-down menu to select whether you want to allow or deny running batch files (.bat and .cmd) on your computer when Command Prompt is disabled.
- Quick note: If the computer has batch files running at logon, logoff, startup, and shutdown, or use remote desktop services, it is not recommended to disable this feature.
- Click the Apply button.
- Click the OK button.
Once you complete the steps, users can still open the console, but they will receive a «The command prompt has been disabled by your administrator» message with an option to press any key to terminate the session. Also, Command Prompt will no longer process compatible scripts, depending on your configuration.
All the latest news, reviews, and guides for Windows and Xbox diehards.
If you no longer need to restrict access to Command Prompt, you can undo the changes using the same instructions outlined above, but on step 5, make sure to select the «Not configured» option.
How to disable Command Prompt from Registry
If you do not want to use the Local Group Policy Editor or your computer has the Home edition of Windows, you can still disable Command Prompt with the Registry.
To disable Command Prompt with the Windows 11 (and 10) Registry, use these steps:
- Open Start.
- Search for regedit and click the top result to open the Registry Editor.
- Browse the following path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- Quick tip: In the Operating System, you can now copy and paste the path in the Registry’s address bar to quickly jump to the key destination.
- Right-click the Windows (folder) key, select the New submenu, and choose the Key option.
- Name the key System and press Enter.
- Right-click the System (folder) key, select the New submenu, and choose the DWORD (32-bit) Value option.
- Name the key DisableCMD and press Enter.
- Double-click the newly created DWORD and set the value from 0 to 2 to disable Command Prompt while allowing batch files to run on the device.
- (Optional) Double-click the newly created DWORD and set the value from 0 to 1 to disable Command Prompt while preventing batch files from running on Windows 11 (and 10).
- Click the OK button.
- Restart your computer.
After you complete the steps, the Command Prompt will be disabled for all users. Also, depending on your configuration, users will no longer be able to run batch files scripts.
In the case you want to undo the changes, use the same instructions outlined above, but on step 4, right-click and delete the System key. However, if the «System» key has additional settings, it is recommended to either set the DisableCMD DWORD value from 1 or 2 to 0 or right-click and delete the DWORD instead of deleting the «System» key.
This guide focuses on disabling Command Prompt for all users, but these instructions can also be used to restrict access to the console for specific users.
More resources
For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:
- Windows 11 on Windows Central — All you need to know
- Windows 10 on Windows Central — All you need to know
Mauro Huculak has been a Windows How-To Expert contributor for WindowsCentral.com for nearly a decade and has over 15 years of experience writing comprehensive guides. He also has an IT background and has achieved different professional certifications from Microsoft, Cisco, VMware, and CompTIA. He has been recognized as a Microsoft MVP for many years.
The Windows 10 Command Prompt aka CMD is an incredibly useful tool from which you can perform pretty much any task on your system. However, this power also makes it dangerous when it’s in the wrong hands. As a result, in certain environments, you may want to disable Command Prompt entirely.
Microsoft, thankfully, is aware that if this conundrum and has provided at least two ways to block Command Prompt in Windows 10. You can simply deactivate Command Prompt via GPO (the Group Policy Editor) or make a quick registry tweak.
Today we’re going to show you how to stop Command Prompt from working using both methods. However, it’s worth pointing out that we only really recommend using the Registry if you don’t have access to the Group Policy tool. The Group Policy editor is just simpler and safer.
How to Disable Command Prompt via Group Policy (gpedit)
Gpedit is a favorite tool of admins when comes to blocking applications, and Command Prompt is no exception. A few clicks is all it takes to turn off CMD in Windows 10.
- Open the Group Policy Editor
Press “Start” and then type “gpedit.msc”. Click the top result.
- Open the ‘System’ folder and double-click ‘Prevent access to the command prompt’
You’ll find the System folder under
User Configuration > Administrative Templates.
- Enable and save the group policy
In the “Prevent access to the command prompt” policy, tick “Enabled”.
You then have a choice: you can choose whether or not you want to disable the command script processing also. Turning this on will stop users from running batch files.
Make your choice, then click “OK” and “Apply”.
If you’re wondering how to unblock Command Prompt in the future, simply switch the policy from “Enabled” to “Disabled” or “Not Configured”.
- Open Command Prompt
You should always check to ensure your policy is working correctly. Press Start, type “Command Prompt”, and click the top result.
If you successfully deactivated the command line, you’ll get the following message:
The command prompt has been disabled by your administrator. Press any key to continue...
How to deactivate CMD via Registry Editor (regedit)
If you don’t have the Group Policy Editor because you’re on Windows 10 Home, you can still disable Command Prompt using your registry. Just make sure you have a quick read of our safe registry editing guide first.
- Open Registry Editor (regedit)
Press Start and then type “Registry Editor” or “regedit”. Click the top result.
- Create a new registry Key in the Windows Policies folder
Browse to
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows, right-click in the main pane, and select “New > Key”. Name the key “System”.
- Create a New DWORD inside your System key
Navigate to your new System key and right-click in the main pane. Choose “New > DWORD (32-bit) Value”. Name the DWORD “DisableCMD”.
- Change the Value data to your preference and click ‘OK’
A value data of 1 to deactivate CMD and batch files, and a value data of 2 to disable CMD while still allowing the execution of batch files. Choose whichever makes the most sense to you and press “OK”.
Make sure you test Command Prompt to ensure it has been fully disabled. If it has, you should get the message “The command prompt has been disabled by your administrator. Press any key to continue…”.
Now you know how to disable Command Prompt in Windows 10, you may want to further lock down your system. You can follow our guide to disable PowerShell, or restrict the user to a single app by activating kiosk mode.
Last Updated on February 14, 2022 7:46 pm CET
The Command Prompt or cmd.exe is a useful utility built in Windows. Users can use Command Prompt to perform many actions in Windows. Some of the actions may be sensitive and have effects on Windows. Because of this (or for some other reason), you may want to prevent users from using the Command Prompt in your Windows. Now in this post, we will show you how to disable the Command Prompt in Windows 10 by using Group Policy or Registry.
- Method 1: using Group Policy Editor
- Method 2: using Registry Editor
Method 1: Disable the Command Prompt using Group Policy Editor
Step 1: Open the Local Group Policy Editor in Windows 10.
Step 2: In the Group Policy Editor that opens, do the following steps. First, in the left side pane, expand User Configuration > Administrative Templates and then select System. So in the right side pane, you will see a policy setting named ”Prevent access to the command prompt”. This policy is not configured by default, which means the Command Prompt is enabled and accessible by default. Double-click this policy to enable it if you want to disable the command prompt.
Step 3: Select Enabled, and then click Apply followed by OK.
Changes take effect immediately, and the Command Prompt is disabled. From now on, you can open the Command Prompt window, but you can’t perform any task in the window. When you open the Command Prompt window, it will display a message in the window: The command prompt has been disabled by your administrator. Press any key to continue, as shown in the screenshot below.
Whenever you need to enable the Command Prompt just set this policy to Not Configured.
Method 2: Disable the Command Prompt using Registry Editor
If your Windows 10 does not include Local Group Policy Editor, you can use Registry Editor to disable the Command Prompt. Here are steps.
Step 1: Open the Registry Editor in Windows 10.
Step 2: In the left side pane of the Registry Editor, navigate to the key: KEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System.
If the System key does not exist under the Windows key, you need to create it. Right click on the Windows key and select New > Key to create a new key, and then name it as System.
Step 3: Within the System key, you can see a DWORD value named DisableCMD. If the DisableCMD value does not exist, you need to create it. Right click on the System key, and select New > DWORD (32-bit) Value to create a new DWORD value; name the new value as DisableCMD. The value data of the DisableCMD is 0 by default, which means the Command Prompt is enabled and accessible by default. If you want to disable the Command Prompt, double-click the DisableCMD value and set its value data to 2.
Finally, close the Registry Editor. That’s it. Now the Command Prompt has been disabled. Whenever you need to enable it, just set the DisableCMD value data to 0 or delete this value.
Download Windows Speedup Tool to fix errors and make PC run faster
To prevent access to the Command Prompt in Windows 11/10, you can make use of Group Policy settings or edit the Windows Registry, so as to disable the Command Prompt. When you do this, it will prevent users from running the interactive command prompt or CMD.exe. Let us see how we can do it in Windows 11/10/8/7.
Does CMD work on Windows 11?
Yes, CMD works on Windows 11. CMD is a command line interpreter in Windows 11 which is used to execute certain commands. By executing commands in the Command Prompt, you can perform different actions on your Windows 11 computer, like fixing corrupted system files, fixing disk errors, managing disk partitions, etc.
You can disable Command Prompt in Windows 11/10 using the Local Group Policy Editor or the Registry Editor. Both of these methods require you to log in as an administrator. If you have Windows 11/10 Home edition, you can use only Registry Editor because the Local Group Policy Editor is not available in Windows 11/10 Home.
Let us see how to do it.
Using GPO
Open Run box, type gpedit.msc and hit Enter to open the Local Group Policy Editor. Navigate to the following path:
User Configuration/Administrative Templates/System
In the right-side pane, you will see Prevent access to the command prompt. Double-click on it to set the policy. Select Enabled and click Apply/OK.
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally.
Here, you can also Disable the command prompt script processing also, if you wish.
If your version of Windows does not have Group Policy, you can do the following.
Using Registry
Run regedit to open the Registry Editor. navigate to the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
If the Windows or System key is not present, you may be required to create them.
In the right pane, double click DisableCMD and set its value to 0.
If DisableCMD is not present on your system, you may be required to create a new DWORD value, name it DisableCMD and then give it a value 0.
Now if any user were to try to open CMD, they would see a message:
The command prompt has been disabled by your administrator.
Hope this helps!
Enable CMD in Windows 11/10
If for some reason, you need to do the reverse, ie. enable the command prompt, simply disable the Prevent access to the command prompt policy setting. In the registry, you may delete the DisableCMD DWORD or set its value to 1.
Our FixWin also lets you enable the command prompt if it has been disabled, in a click.
How do I enable elevated command prompt in Windows 11?
An elevated command prompt lets you execute the commands that require administrative privileges. To open an elevated command prompt, click on Windows Search and type cmd. Now, right-click on the Command prompt and select Run as administrator. Click Yes in the UAC prompt.
See this post if you want to prevent access to Registry Editor.
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.