SOLVED: GPO To Block Software by File Name, Path, Hash or Certificate

If you want to block programs from running on your corporate network, you can easily create a Group Policy Object (GPO) to make that happen.  However, there are two GPO’s you can use but only one of them works well.


Method 1 – GPO to Block Software By File Name

This is the old way of blocking software and it has limited performance as we explain below:

  1. Launch REGEDIT
  2. Expand USER CONFIGURATION > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM
  3. Double click on DON’T TUN SPECIFIED WINDOWS APPLICATIONS
  4. Click ENABLE
  5. Click the SHOW button
  6. Type in the file name you want to block

The problems with this method are:

  • this method only works per user and not per machine
  • you can only use filenames, no paths, hashes or certificates.  Think about what that means for UPDATE.EXE which you likely have 20 of for 20 different programs on your computer… not good
  • This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.

Method 2 – GPO to Block Software By Path, Hash or Certificate

Microsoft introduced Software Restriction Polices in Windows Server 2008 and has enhanced it since then.  Today you can block programs from running by:

  • Path – which can just be a file name!
  • Hash
  • Zone
  • Certificate

Even better, the policy exists under COMPUTER CONFIGURATION and USER CONFIGURATION so you can lock down either the user or the computer.  In the example below we are showing how to lock down the computer from running SLACK.EXE .

  1. Open Group Policy Management Editor
  2. Expand POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS
  3. Right click on SOFTWARE RULES and select CREATE SOFTWARE PROTECTION POLICIES

There are three security levels:

  1. DISALLOWED: Software will not run, regardless of the access rights of the user
  2. BASIC USER: Allows programs to run only as standard user.  Removes the ability to RUN AS ADMINISTRATOR
  3. UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user

Block Software by Path or File Name

Click to Enlarge

  1. Launch REGEDIT
  2. Expand USER CONFIGURATION (or COMPUTER CONFIGURATION > POLICIES > WINDOWS SETTINGS > SOFTWARE RESTRICTIONS
  3. Right click on SOFTWARE RESTRICTIONS and select CREATE SOFTWARE RESTRICTION POLICIES
  4. Right click on ADDITIONAL POLICIES and select NEW PATH RULE
  5. Type the name of file or the full path with the file you want to block
    1. Note that system variables like %windir%, %ProgramFiles(x86)% and %userprofile% do function here as you can see in the example shown above
  6. Make sure the SECURITY LEVEL drop down is set to DISALLOWED
  7. Click OK

At this point you have to get that policy from the Domain Controller to your PC so you can GPUPDATE /FORCE from a CMD line or you can reboot.  Either way, I have seen this policy take 15 minutes to take hold and I have verified that via GPRESULT -R that the policy is on the PC in question so be patient if it does not take effect immediately.

Also note that many pieces of software launch in more than just one way.  In the example shown in the screen shot above you can see that we also blocked %userprofile%\AppData\Local\slack\Update.exe  .  This is because slack autostarts from the HKCU > RUN registry entry via UPDATE.EXE (click the screen shot to the right to expand it).  We don’t want to block the name UPDATE.EXE because there are so many peices of software that ship with an updater named UPDATE.EXE, so we used a full path here.

Block Software by Hash

To block software by its hash, just follow the same process but in the NEW HASH RULE you simply click the BROWSE button, find the file in question and Windows will determine the hash for you.

The problem with this method is that every time the software you are blocking is updated, no matter how small, it will have a new hash.  That means the block by hash rule is best applied to old software versions you want to kill.

Block Software by Certificate

To block software by its certificate, follow the same process but in the NEW CERTIFICATE RULE you simply click the BROWSE button, find the .CER certificate file in question.  If you don’t know how to pull the certificate from the file click HERE for instructions.

If you use certificate blocking, you will also see an alert telling you that this may significantly effect performance.  See the screen shot to the right.  We have never used Certificate Blocking so we cannot say how serious the performance hit is, but if Microsoft is warning us it is likely a big deal.


After I had written this one of our readers said he found the following video to be very useful so we added it for you:

View Comments

  • Hi, I am able to block fsquirt.exe file as per the above guidelines, but once i copied the file somewhere else and rename it. This file opens. Please note i have added the hash of file as file. Please guide what i have missed?

    • I don't know. If you are using the hash, it should be blocked no matter what is is named.

      Does anyone else have a thought on this?

  • It's a nice guide except, if I were you, I'd change the very first part where it says "open REGEDIT" so that it says "open GPEDIT.msc"

Published by
Ian Matthews
Tags: GPO

This website uses cookies.