I wrote this article because all of the information online about disabling programs from running in Windows or locking down Windows applications for users seemed to have correct information but was outdated and lacked some updates for Windows 10 Home PC users. Though the information in these articles was good, the way to achieve the results had problems with Windows 10 Home Edition in several cases so here is a simpler way to lock down Windows 10 so that it will only run the specific applications you want it to.
Caution: These instructions will severely limit and restrict the Windows 10 user account so they really can only execute the programs you have whitelisted in these instructions. I would suggest at all times you take a backup of your existing registry which I will cover in the instructions, as well as I would test this out on a secondary user account and always have an administrator backup account that you can log into to undo these changes and restore this account if you need to. Note, only an account in Windows 10 with administrative changes can make the registry edits to implement and undo these changes so make sure you have precautions.
Again, Precautionary Steps before Blocking Applications in Windows 10 are:
Make sure you have a Windows 10 Administrator account as a backup (not one you are applying these changes to)
Step 2: Make sure you backup the registry and/or take a system restore point so you can rollback if you need to. If you do step 1 and take a registry backup though you should be covered.
Step 1 – Documenting What You Are Trying to Accomplish / Pre-requisites
Why would you want to lock down applications in Windows 10? Well one reason is that I want my kids when they are at home to be able to use their computers for school work but not have the distraction of video games period. I could create separate user accounts, but Windows 10 Home Edition pretty much extends all applications/games installed to 1 user account into all created user accounts even local user accounts so that method didn’t work. I needed a way to block my kids from opening any and all files except the specific Windows applications I had whitelisted. You may have seen instructions on DisallowRun which allows you to specifically block individual applications from being run giving open access to everything else. This isn’t what I wanted, the reason is my kids and most people can rename .exe files so that they can get around the specific filenames you would specify in the DisallowRun method. So I wanted something that denied and locked down all Windows 10 applications except for the specific ones I wanted.
My kids have a simple rule, from 3pm to 6pm their computers are locked to Learner mode only, and I only had Windows 10 Home edition so I didn’t have the benefit of using an AD and GPO’s to lock down the computers. This registry tip worked, but you want to make sure you answer the following questions and plan the following.
1. Do You Want to Lock Down Their Main Account or Create a Separate Limited Access Account?
In my case I didn’t want to touch their main accounts, but I did have to change the passwords to something only I knew so that they can’t just log out of the restricted accounts and into their own accounts. So I made separate study home accounts for them that they can log into during the after school study block time. You can use the RestrictRun method to lock out their main account, but then you have to enter the registry changes against their man account and undo them when you want to open up their privileges again. It was easier to just lock down a secondary account and then they just log out or log into that account when they are during restricted time.
Second, you have to actually make your restricted account and Administrator account. Originally I tried making a user account without administrative privileges, but the problem was when I tried modifying the registry I kept having to run as admin, and then the changes made were against the master account, not the sub account I want restricted. I am sure I could have done this by entering the registry entries in a different area than Current User, but it was a bit more effort to find the UID string of the user and hunt and track it down, so I just made the account I want to lock down an administrator account as well.
2. What Programs Do You Want to Restrict That Account To Running
Think about all of the programs you want to allow that account to be able to run and try to make sure you build a good comprehensive list up front, you can add to it later. A good start for my example was chrome.exe, ie.exe, notepad.exe, calc.exe, PaintDotNet.exe and spotify.exe. They use Google Docs and Sheets but if they needed MS Office I would open MS Office files.
Step 2 – Backing Up Your Registry File
Just in case you make mistakes you want to take a full backup of your registry file, open regedit by clicking on your Windows button and typing regedit
Opening RegEdit make sure you have the very top level “computer” selected so you backup the entire registry instead of a sub key.
Then select File > Export and choose the backup folder and location for where you will store your full backed up registry file. This should only ever be needed in case you really mess up and damage your registry.
There now you have your registry backup, now as an added precaution you can also take a system snapshot aka create a system restore point, in case you really need it. You just click on your Windows home button or press the Windows key and search for “create a restore point”.
If you have multiple drives you should only need to create a restore point for your C Drive.
Then click create to have your restore point set.
Now, before we move on to creating the Restricted Apps part, I want to ensure you already created the second account in Windows 10 that you want to lock down, or you were going to apply it to a primary account and had an administrator account as a backup. To create an offline/local administrator account you need to just search for user and add a user, then click on add someone else to this PC, then click on I don’t have this persons sign on information, then click on Add a User Without a Microsoft Account.
Now you should have either your backup administrator account or then one you are going lock down created. It is time to start the process to restrict which applications a Windows 10 user account can run.
Step 3 – Restricting Windows 10 Home User Account to Running Only Approved Applications
Alright, I am going to give you 2 ways to achieve this, the easy way where I provide the files for you to download and just run. These are your methods to automatically implement the RestrictedRun and Undo it if you want to roll it back but you have to edit the one file called restrictrun.reg and add the specific programs and additional lines you want to allow this account to run. Remember, once you reboot after making the registry changes this account will be restricted to only being able to run the programs you have defined in the registry, all other apps will be blocked. *there is some caveats and I will cover those later.
Editing My Files, download the RestrictedRun Registry Template Files Here
Feel free to use notepad, wordpad or notepad++ to edit the files and look at them, but they are standard Registry template files. The one called restorerun.reg only deletes the registry entries created by restrictrun.reg and the good thing is no matter how many programs you add custom in restrictrun.reg the restore file will remove them so that you undo your changes.
Once you are logged in as the account you want to restrict and you have downloaded and unzipped the registry template files above, you can now edit the restrictrun.reg. Make sure you right click and edit this file or open it with notepad. Do not accidentally execute and run this reg program at this time without editing it, or it will immediately restrict access to only chrome.exe, notepad.exe, ie.exe and calc.exe.
When you edit the file you will see the following lines:
The only lines you will be editing are the application lines that begin with numbers 1 through 4 or adding additional lines and increment the numbers up. Like you can add:
if you wanted to also allow Spotify.exe to run in addition to the other 4 programs. Feel free to change the default 4 as you need to as well and add as many as you want just remember to increment the numbers for each file, copy line paste it below and increase the number by one and set the exe file.
Once you are done, save the file and then you can right click on the file and select “merge” which will add these registry keys and entries to your Windows 10 registry and implement the RestrictRun for the Windows 10 Home user account.
Now once you reboot your computer and log in with this account that you just restricted, if it tries to open any application that isn’t in that approved run list they will get this error if they try to double click on the file from explorer.
If they are just using the Windows button and start menu to run applications they may not see an error message at all, instead the app just won’t open. This effectively blocked my kids from running Fortnite on Windows 10 and the Epic Launcher could not open after these changes.
Undoing the Restrict
Run Changes or Adding More Applications to the Whitelist
To undo the changes, you have to open Regedit and then click File > Import and import the restorerun.reg file that I have created. This will remove all those restrictrun.reg entries and restore your registry to before that lockdown was put in place.
After you reboot, if you want to add more apps to the restricted list, you should still be able to edit that restrictedrun.reg file, so then you can just easily add additional apps to that list and then re-import that registry file.
Additional Information About Restricting Windows 10 Home Users to Specific Applications
So here are some caveats that I found and some things to note. One is that some Windows Store apps can bypass this lockdown, apps installed from the Windows Store including Edge don’t appear to have a specific exe file that is easily found. It doesn’t show up in task manager and even process monitor I had a hard time finding how to lock it down, so you will want to manually uninstall any Windows Store apps/games for this account. The second is that we restrict .exe files only, a clever user can create .bat and other files potentially to work around or undo the registry changes if they are savvy enough. This is why I say this is a good method for kids and most teenagers, but if you have a Windows Engineer whiz, they will find a work around, especially if you are leaving the browser being allowed which means they will likely try and Google search a way to undo or reverse the restrictions.
After making the restrictrun changes you may want to use your other administrator account to then change the restricted account to no longer being an adminstrator, this way it can’t create other accounts or bypasses and further helps minimize their ability to find a way around the restrictrun entries.
Some of you may be thinking that this is extreme and why can’t you trust or teach your kids but the truth is, with so many powerful distractions this is just a tool to help minimize the gaming distraction. As the web browser is open this won’t lock down any HTTP or web based app/game/communication type of stuff, and if they have a smartphone that isn’t locked down obviously they can do whatever on their smart phone. This is just so that when my kids are working on homework or are in home study time, they have specific locked down accounts that keep them more focused. If you have any additional suggestions, feedback or need more information feel free to share it.
Also, if you want to see how to manually create those registry entries because you just don’t want to use my templates, you can go to one of the original articles I found here on How To Geek. The problem is though I found that Windows 10 Home edition didn’t let me rename the key to RestrictedRun and blocked me. Even though I didn’t have any virus program running, it was just easier to use template registry files than manually create the keys, then strings and values manually in the registry.