You
can if you wish to restrict users from installing or running programs in Windows
8, Windows 7 , Windows Vista, Windows XP , Windows 2000 & Windows
Server family. You can do so by using certain Group Policy settings to control
the behavior of the Windows Installer, prevent certain programs from running or
restrict via the Registry Editor.
The
Windows Installer, msiexec.exe, previously known as Microsoft
Installer, is an engine for the installation, maintenance, and removal of
software on modern Microsoft Windows systems.
1. Disable or restrict the use of Windows Installer via Group Policy
Type
gpedit.msc in start search and hit Enter to
open the Group Policy Editor. Navigate to Computer Configurations > Administrative templates >
Windows Components > Windows Installer
In
RHS pane double-click on Disable
windows installer. Configure the option as required.
This
setting can prevent users from installing software on their systems or permit
users to install only those programs offered by a system administrator. If you
enable this setting, you can use the options in the Disable Windows Installer
box to establish an installation setting.
The
“Never” option indicates Windows Installer is fully enabled. Users can install
and upgrade software. This is the default behavior for Windows Installer on
Windows 2000 Professional, Windows XP Professional and Windows Vista when the
policy is not configured.
The
“For non-managed apps only” option permits users to install only those programs
that a system administrator assigns (offers on the desktop) or publishes (adds
them to Add or Remove Programs). This is the default behavior of Windows
Installer on Windows Server 2003 family when the policy is not configured.
The “Always” option indicates that Windows Installer is disabled.
This
setting affects Windows Installer only. It does not prevent users from using
other methods to install and upgrade programs.
2. Always install with elevated privileges
In
the Group Policy Editor, navigate to
User Configuration >
Administrative Templates > Windows Components
Scroll
down and click Windows Installer and configure it to Always install with elevated privileges.
This
setting directs Windows Installer to use system permissions when it installs
any program on the system.
This
setting extends elevated privileges to all programs. These privileges are
usually reserved for programs that have been assigned to the user (offered on
the desktop), assigned to the computer (installed automatically), or made
available in Add or Remove Programs in Control Panel. This setting lets users
install programs that require access to directories that the user might not
have permission to view or change, including directories on highly restricted
computers.
If
you disable this setting or do not configure it, the system applies the current
user’s permissions when it installs programs that a system administrator does
not distribute or offer.
This
setting appears both in the Computer Configuration and User Configuration
folders. To make this setting effective, you must enable the setting in both
folders.
Skilled
users can take advantage of the permissions this setting grants to change their
privileges and gain permanent access to restricted files and folders. Note that
the User Configuration version of this setting is not guaranteed to be secure.
3. Don’t run specified Windows applications
In
the Group Policy Editor, navigate to
User Configuration >
Administrative Templates > System
Here
in RHS pane, double click Don’t run
specified Windows applications
and in the new window which opens select Enabled. Now Under Options click Show.
In the new windows which opens enter the path of the application you wish to
disallow; in this case : msiexec.exe.
This
will disallow Windows Installer which is located in c:\Windows\System32\ folder from running.
This
setting prevents Windows from running the programs you specify in this setting.
If you enable this setting, users cannot run programs that you add to the list
of disallowed applications.
This
setting only prevents users from running programs that are started by the
Windows Explorer process. It does not prevent users from running programs, such
as Task Manager, that are started by the system process or by other processes.
Also, if you permit users to gain access to the command prompt, cmd.exe, this
setting does not prevent them from starting programs in the command window that
they are not permitted to start by using Windows Explorer. Note: To create a
list of disallowed applications, click Show. In the Show Contents dialog box,
in the Value column, type the application executable name (e.g., msiexec.exe).
4. Restrict Programs from being installed via Registry Editor
Open
Registry Editor and navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun
Create String value with any name, like 1 and set its
value to the program’s EXE file.
e.g.,
If you want to restrict msiexec, then create a String value 1 and set its value to msiexec.exe. If you want to restrict
more programs, then simply create more String values with names 2, 3 and so on
and set their values to the program’s exe.
You
may have to restart your computer.
-
The SWC’s workstation for Parit Raja 4, Yong Peng 3 and Simpang Renggam 2 has
been disabled its windows installer. LogMeIn connection to Simpang Renggam 2
WTP is very slow but it was still possible to make the following settings.
a. Disable windows installer - Enabled > Always
b. Don’t run specified Windows applications - c:\windows\system32\msiexec.exe
