Skip navigation
Menu
Compute Engines

JSI Tip 0496 - How can I prevent users from running Explorer.exe?

Even if you Locked down that desktop and are using RestrictRun, educated users can still gain access to Explorer by inserting an object (Explorer.exe) from a Microsoft Office application.

To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.

In Explorer, highlight %SystemRoot%\Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the


xcacls.exe explorer.exe /t /e /p everyone:x
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023