Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Can I edit gpedit.msc in a program made in C
I want to edit it to disable cmd and the control panel.
(I tried to edit it using the registry, but there was no entry.)
What should I do?
I use Windows 32 API.
HRESULT hr = S_OK;
// Use IGroupPolicyObject to retrieve and modify the registry settings.
// for the GPO represented by the gpoInfo.lpDsPath
IGroupPolicyObject* p = NULL;
hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL,
CLSCTX_INPROC_SERVER, IID_IGroupPolicyObject,
(LPVOID*)&p);
if (SUCCEEDED(hr))
// The GPO value we want to modify is the
// User Configuration
// +> Policies
// +>Administrative Templates
// +->System
// +->Prevent access to the command prompt
DWORD dwSection = GPO_SECTION_USER;
HKEY hGPOSectionKey = NULL;
DWORD dwData;
HKEY hSettingKey;
LSTATUS rStatus;
hr = 0;
//Open the GPO and load its registy values for both: Machine and user
hr = p->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY);
// Request the user Registy hive for the GPO
hr = p->GetRegistryKey(dwSection, &hGPOSectionKey);
// Determine if you want to set it to Not Congigure,
// Enabled or Disabled for the GPO itself.
// The second call, RequestSetting will provide the "Yes" or "No"
// value for setting
// the policy as shown by the GPO Editor
// iMode
// 0=Not Configured, 1=Enabled, 2=Disabled
switch (iMode)
case 0:
// We do not want to configure the GPO, but we don't want to
// affect other GPOs on the same key,
// so just delete values associated with this
// particular GPO setting.
rStatus = RegDeleteValue(hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System\\DisableCMD"
rStatus = RegDeleteValue(hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System\\**del.DisableCMD"
break;
case 1:
// To enable the policy, the DisableCMD value must
// exist and the **del.DisableCMD value must not.
// lData:
// Check to see if the key for this policy exists.
// If if it does, retrieve a handle
// If not, create it.
if (RegOpenKeyEx(hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System", 0,
KEY_WRITE, &hSettingKey) != ERROR_SUCCESS)
rStatus = RegCreateKeyEx(
hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System",
NULL,
REG_OPTION_NON_VOLATILE,
KEY_WRITE,
NULL,
&hSettingKey,
NULL);
// Set the value DisableCMD and allow, disallow
// script launching of CMD
DWORD lData = 1;
rStatus = RegSetValueEx(hSettingKey, L"DisableCMD",
NULL, REG_DWORD, (BYTE *)(&lData),
sizeof(DWORD));
// Remove the not configured value indicator from the hive.
// It may not exist, so the RegDeleteValue may return
// and error, this can be ignored.
rStatus = RegDeleteValue(hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System\\**del.DisableCMD"
rStatus = RegCloseKey(hSettingKey);
break;
case 2:
// Disable the policy.
// must remove the DisableCMD value and add the
// **del.DisableCMD value.
// Same stesp as before, check to see if the key for this
// policy exists,
// if not, create it.
BOOL bCreate = FALSE;
if (RegOpenKeyEx(hGPOSectionKey, L"Software\\Policies\\Microsoft\\Windows\\System", 0, KEY_WRITE, &hSettingKey) != ERROR_SUCCESS)
rStatus = RegCreateKeyEx(
hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System",
NULL,
REG_OPTION_NON_VOLATILE,
KEY_WRITE,
NULL,
&hSettingKey,
NULL);
bCreate = TRUE;
DWORD dwType = 0;
DWORD cbType = sizeof(dwData);
if (!bCreate)
// If we did not create the key, then our value
// *may* exist.
// try to read it. If we succeed, write that value back
// to **del.DisableCMD
// if not, then set **del.DisableCMD to 0
rStatus = RegGetValue(hGPOSectionKey,
L"Software\\Policies\\Microsoft\\Windows\\System", L"DisableCMD", RRF_RT_ANY, &dwType, (BYTE *)(&dwData), &cbType);
if (rStatus != ERROR_SUCCESS) dwData = 0;
else RegDeleteValue(hSettingKey, L"DisableCMD");
rStatus = RegSetValueEx(hSettingKey, L"**del.DisableCMD", NULL, REG_DWORD, (BYTE *)(&dwData), sizeof(DWORD));
// The key was created, just set the **del.DisableCMD
// value to 0
dwData = 0;
rStatus = RegSetValueEx(hSettingKey, L"**del.DisableCMD", NULL, REG_DWORD, (BYTE *)(&dwData), sizeof(DWORD));
rStatus = RegCloseKey(hSettingKey);
GUID RegistryId = REGISTRY_EXTENSION_GUID;
GUID ThisAdminToolGuid =
/*{ CLSID_PolicySnapinUser/* */
0x0F6B957E,
0x509E,
0x11D1,
{0xA7, 0xCC, 0x00, 0x00, 0xF8, 0x75, 0x71, 0xE3}
rStatus = RegCloseKey(hGPOSectionKey);
// Write the GPO back to the directory
hr = p->Save(
FALSE,
TRUE,
&RegistryId,
&ThisAdminToolGuid);
hr = p->Release();
return hr;
int main()
CoInitialize(NULL);
ModifyUserPolicyForPreventAccessToCmdPrompt(1);
return 0;
Basically use the
Group Policy API
to modify specific values in the GPO.
Note: you need to logoff(Press Ctrl+Alt+Del and choose the option to Log off) to take effect after successful compilation.
For more details, please refer:
how to modify a registry based policy
Thanks for contributing an answer to Stack Overflow!
-
Please be sure to
answer the question
. Provide details and share your research!
But
avoid
…
-
Asking for help, clarification, or responding to other answers.
-
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our
tips on writing great answers
.
