How to put a ban on the installation of programs. Unchecky - Prevent installation of unwanted programs

If desktop computer or a laptop, due to necessity, is used not by one, but by several users, it is quite natural that each of them can install programs into the system that he needs for daily work or entertainment. This can lead to unpredictable consequences that relate to a possible violation of the functionality of the operating system.

Prohibit the installation of programs in Windows XP and in systems with a rank higher than one or more users on general level can be quite simple. However, the most logical solution, which is to exclude users from the administrator group or increase the level of UAC control, in the seventh Windows versions and later modifications of the system has no effect, since they can still be used to start the installer just on behalf of the administrator. Despite this, several options for setting the ban can still be applied.

Does it need a ban on installing software?

To begin with, let's briefly dwell on why and for what it is necessary to introduce such prohibitions on the part of the administrator.

The problem here is not even that the user can install completely unnecessary software, but rather that during the installation of some applications, it can very often install and great amount the so-called partner software (which is often ignored by many users due to their inattention). In addition, some viruses (for example, advertising ones) are very successfully disguised as such applets.

In general, the installation of unnecessary software products leads to clutter hard drive and to a decrease in computer performance in the case when installed programs prescribe own settings in system startup and system registry. And without special knowledge and skills to produce the maximum complete removal installed applications is extremely difficult and Windows tools best not to count.

How to prevent the installation of programs on Windows 7 in group policy settings?

Since we will talk about the seventh modification of the system, we will start from its main settings and parameters. But the solutions presented can be similarly applied in more later versions OS. So, how to prevent the installation of programs on Windows 7 for all users at a general level, including possible installation, initiated by the applications themselves, for example, during an update? You can do this through group policies. Access to the editor is carried out by the gpedit.msc command, which is registered in the "Run" menu (the checkbox must be checked at the task start point with administrator rights).

The editor should use the administrative template sections and Windows components, and then select the installer's prohibition item from the list. After that, double-click to enter editing given parameter, set it to enabled and apply the changes.

Snap Actions

In Windows 7, access to the installation of prohibitions on any actions performed by a potential user of the system can also be obtained through the so-called snap-in management console (mmc).

Here, first, through the file menu, you need to select the addition of a new snap-in, then in the list available tools select group policies and use the add button to add it to the list of the window on the right. In the new window that opens, click the browse button to open another window, go to the "Users" tab and mark the user for whom the ban to be set should apply.

Once the snap-in code is added via the File menu, it must be saved using the standard method of assigning the registered admin name as the name. After that, you need to repeat the above steps in but in this case, the installation of programs in Windows 7 will be prohibited only for the selected user.

Note: if necessary, you can create several snap-ins or set bans for all registered users.

How to prevent a user from installing Windows 7 programs using parental control settings?

To set bans, you can use another method, which, according to most experts, is the simplest and does not require special knowledge system toolkit. How to prevent installation of programs on Windows 7 and above systems using this tool? To do this, in the "Control Panel" you need to use the account management section with the choice of the installation item parental controls.

Further, the user for whom the ban will be set is simply marked, and the corresponding parameter for restricting the launch of programs is activated. The system will automatically create a list of applications that can be blocked, but if the program is not found, you can specify the path to it yourself through the browse button.

But, judging by the advice of experts, you need to clearly understand that the disadvantage of this technique is that you can only limit the start of installed applications, and not those that the user is going to install, although you can add Windows installers to the list if you wish.

Setting a ban in the registry

Speaking about how to prohibit the installation of programs on Windows 7 regarding the restriction of the launch of the applications themselves or the system installer, you can apply at least effective way, which consists in changing the specially responsible for this key in the registry (regedit).

The section is named DisallowRun and is located along the path shown in the image above. To set a ban, you just need to create new parameter and specify the path to the executable EXE file, and then reboot the computer device.

Note: the parameter is created separately for each application, if necessary, you can set additional key values ​​(2, 3, 4), but the prohibition itself will apply to all users who do not have administrator privileges in the system.

Brief summary

Summing up all of the above, apparently, many have already understood that setting restrictions on the launch of installed applications is the easiest, but far from best solution. If for some reason you want to set a ban on the installation of programs, it is best to use group policies or a snap-in management console, which is confirmed by most computer security experts.

But actions with these editors in any case should be carried out exclusively when logged into an administrator account or using the appropriate rights to change the system configuration. As third party tool can apply App utility Locker, but the actions with it almost exactly repeat the management of policies and snap-ins (only the parameters are imported, not set manually), so it was not considered.

Hello, friends! I decided to open the section from this article, since the topic touched upon in it is now very relevant. It will be about Mail.ru and other companies that are playing a dishonest game against their users. Well, of course, about AppLocker itself, as a means of dealing with installation and launch unwanted programs.

About the Mail.ru group of companies, unflattering reviews and opinions about their aggressive and dishonest marketing have long been walking, not only in relation to competitors, but, first of all, in relation to the users themselves. And the fact, published in the tenth of March of this year, just finally convinced me to write this article.

Blame it on the damnedGuard And Downloader from Mail.ru /and Amigo browser/ . The thing is that these allegedly "useful" (according to the developers) programs behave in no other way than malicious objects. I'll tell you briefly. For example, you decide to install a mailru agent for yourself. Download, install, and then the most interesting thing happens - in addition to the agent itself, a bunch of other stray things are installed on your favorite computer: satellite, toolbar, guard, amigo, etc. According to the representatives of mail.ru, if you uncheck these programs when installing the main program, then they will not be installed. But, in reality, this is not always the case. Evidence of this is a great many angry remarks, reviews and reviews about this.

But the main "trump card" of mail.ru is GuardMailRu (supposedly the Defender). In fairness, it is worth noting that it, of course, protects against unauthorized changes to the browser start page, for example, or from unauthorized changes search engine. But, that's the whole point. He, practically without the knowledge of the user, sets the start page (guess which one?), And now he protects from changing it. Also with the default search. And not only protects, but also deletes everything before installed modules from Yandex, Rambler, etc.

It would seem, and to hell with it, a useful function (on the one hand). But, the fact is that when the Guard is removed, it magically returns again. And everything is yours start page forever Mail.ru =)

Anyone familiar with information security I have probably already seen the malicious nature of all these actions, characteristic of viruses and trojans. For example:

• installation without the knowledge of the user;
• change user settings without the knowledge of the owner;
• removal of third-party applications;
• inability to remove standard means operating system.

But even that's not all! The most delicious is ahead.

As it turned out, mail.ru has another "application" - Downloader (Downloader). And now this is, in my opinion, a real fraud on the part of this company. Look, for example, an Internet user is walking through various resources on the network, looking for necessary information, and then - bam - a notification pops up that you need to update, Mozilla, Chrome, Internet Explorer, etc., and it all looks quite official. BUT! Download in progress not from the official site, but from mail.ru partner sites, and, of course, it is not an update that is downloaded, but "Internet Browser" (well, they came up with a name =)) /now it's Amigo Browser/ all from the same Mail.ru! Naturally, with its own toolbar and other unnecessary "nastiness", such as [email protected].

There are already many on the web different pictures and memes to that effect. Like this one:

You ask, why don't antiviruses block, don't swear? And here's why (and this is even more shocking). It turns out that all these pseudo-updates signed by this and legitimate digital signature Mail.Ru! Therefore, antiviruses, seeing this signature, quite naturally trust the downloaded and running application.

Now tell me, isn't this a scam? Not cheating users? Not misleading?

"We were not the first to start this" (c)

This is how a Mail.ru employee, who is directly related to the development of the downloader, answered on an authoritative Internet portal to numerous claims and real facts based on the analysis of the code and behavior of this "Downloader", which allow us to boldly declare: Downloader from Mail.ru is nothing but a Trojan!

Companies need to monetize their projects somehow. So they decided to go the way " affiliate programs" - offer various resources a way to earn money, through this very "loader".

These are the pies, my friends. You can read more about all this on various resources on the network, such as Habr. Well, let's move on to practice.

But first, in fairness, it should be noted that such aggressive marketing really came up with not in mail.ru. Yandex, for example, also has its own "Defender". Various services like AOL, Ask.com, ICQ, etc. also use the installation of their toolbars or programs in third party software and have been doing it for a long time. But what went to Mail.ru, openly deceiving users with false updates third party programs is, of course, nonsense.

So let's fight it with AppLocker!

Most users who actively use the Internet are well aware of what UAC (User Account Control), administrator rights, etc. are, and they also know and understand that when installing any software you can’t blindly click on the “next” button, but you need to carefully look at everything, uncheck unnecessary checkboxes, etc. But, after all, we all have friends, relatives, parents, clients, finally, who do not even know about such things.

And in order to protect them from such misfortunes, we will use local policy security And . I must say right away that this only works on Windows 7 operating systems (Maximum and Corporate). As for Windows 8, I can’t say anything, I haven’t tested it.

This technique is unlikely to suit those who regularly install software and games on their computers, because. it severely restricts the user's actions. In many cases, it is much more comfortable to use, which does its job perfectly and does not cause any inconvenience.

First, we will need to create an XML file (if you don't want to bother with creating it, you can download it). To do this, copy this code here. Code temporarily removed due to display issues. Download the finished xml file.

Then we open standard notepad(but it's better to use Notepad++) and paste the copied code into it. Next, click: File - Save As ...

You must save the file in UTF-8 encoding, otherwise an error will occur when importing the rules. The encoding (in Notepad) is changed in the drop-down menu next to the "Save" button

We enter an arbitrary name (for example, blockmailru.xml) and save it to any place convenient for us, for example, to the desktop. Everything, the file is ready.

Now you need to start the service and install for it auto mode startup, otherwise AppLocker will not work. In order to start this service, open: Control Panel - Administrative Tools - Services:

Double-click on "Application Identity", the properties window for this service will open. Now you need to start this service and enable for it automatic type launch. Click to run:

Don't forget to click "OK" =)

If you already have the service running, be sure to enable the automatic startup type for it, as shown in the figure above. By default, the startup type of this service is set to Manual.

Everything, with the services for today finished. Now you need to import the list you created earlier (which we previously named blockmailru.xml) into AppLocker. To do this, open again: Control Panel - Administrative Tools - Local Policy security. Looking for: Application Control Policies - AppLocker:

Click right click click on "AppLocker" and select "Import policy...". After that, in the window that opens, you need to point to the created blockmailru.xml file and open it. The system will issue a policy change request and notify that all previous policy rules will be replaced. We agree. All. The main part of the work has been done. In the "Executable rules" you will see the following picture:

The same picture will be in the paragraph "Rules Windows Installer"

As you can see in the screenshot, there is an item in the rules: Allow - All - D:\ Portable Soft\*. This rule says the following: allowed to run by any user and any program from the Portable Soft folder located in the root of drive D. Need it (rule) to run portable programs(i.e. which run without installation). Or, for example, to allow the installation of those programs whose installers you place in this folder.

You also need to enable such a rule. This is done very simply. Create a folder where it is more convenient for you (at least on the desktop). Name it something (like "Portable") and put all the portable programs and installers you trust in it. Next, open it again (if closed): Control Panel - Administrative Tools - Local Security Policy - Application Control Policies - AppLocker. Right-click on "Executable Rules" and select "Create a new rule...". Everything is simple there: click "next", even "next", then tick the "Path", again "next" and "Browse folders". A window will open in which you will need to specify the same folder and again "next", "next", and at the final stage "create". The rule has been created. In fact, everything is simple. In addition, when creating or editing such rules, you can specify exceptions, allow or block paths (folders), publishers, etc.

The same must be done for such programs that are not installed in Program Files, and for example in C:\Users\username\AppData\Local\Apps\. In general, if after the settings you have made some program does not start for you, add its location to the rules. Similar to how we added permissions to the "Portable" folder

Let's now finally understand what we have achieved with all these manipulations and what is now forbidden to us and what is allowed:

• startup and installation blocking any programs from such publishers as: CNET, AOL, SweetIM, Uniblue, ASK, Mail, Messenger Plus, Hamster, Mediaget, Reg Organaizer. All of these publishers have been convicted of dishonest practices ( concealed installation and so on.). The list can be independently supplemented and edited;
• the launch of all programs that are located in Program Files, Windows and in the folder (directory) that we added ourselves is allowed;
• allowed to run any programs local administrator(i.e. administrator account)
• allow execution of digitally signed Windows Installer files (.msi files);
• the execution of Windows Installer files with a digital signature, which are located in the Installer directory (in the Windows folder), is allowed;
• allowed to run any installer files Windows local administrator (i.e. administrator account).

Thus, no Guards, "defenders", left browsers from mail.ru, from Yandex, satellites, Yandex bars and other unnecessary trash will no longer appear on your computer or on the computer of your relatives and friends. All programs from the specified publishers will no longer infiltrate a computer that is subject to these rules; they will simply be blocked.

When installing any software always keep an eye on the checkboxes, look carefully so as not to install third-party software.

And remember one of the main rules - download software ONLY from official sites.

If you have any questions regarding this instruction, feel free to ask them in the comments or through.

See you soon!

Operating room developers Windows systems created an option that limits what users can do on the computer. These restrictions are set independently by any user who has access to account administrator on the computer.

Instruction

1. Administrator rights are required to set any ban on a computer. To manage bans, you need to open a special section " Local settings security", to do this, use the key combination Win + R and enter secpol.msc, press the Enter key.
2. Open the "Policy" section limited use programs"

   and in the Object Type command group, select the Assigned File Types command. The window will load a list of file formats that are related to the executable code.

3. To prohibit the use of programs, you must exclude from this list corresponding types. For example, to disable the use Excel programs select the appropriate item in the list and execute the "Delete" command, also delete the program shortcut, it has the LNK format. Save the changes by clicking on the OK button.

   

4. Go to the "Enforced" section and in the "Enforce Restricted Use Policies" drop-down list, check the "For everyone except local administrators" command.
   

   Go to the "Security levels" directory and select the "Unlimited" section, select the "Default" value and save the settings with the OK button.

5. Open the "Security levels" category and select the "Unlimited" option. Select the Default option and click OK.
6. After completing all the described steps, all users, except administrators, will be able to use only allowed applications. All programs are installed in the Program Files or SystemRoot directory. If you yourself installed programs in other folders, then they must be added to the allowed list.
7. Open the window " Additional rules» and click in empty place the "Name" section. Click the option "Create a rule for the path" and designate the path to the directory with the programs.
8. To prevent other users from adding to specified folders additional software, you need to set an additional constraint. Call for desired folder context menu and press " General access and security", on the "Security" page, set the permission for the desired users.
9. Click "Advanced" and open the "Permissions" tab. Specify users and click "Edit", in the loaded window, mark the allowed actions for these users.

Video: How to prevent installation of programs in windows 7

Free software can be very useful and functional, some programs even claim to replace expensive ones. paid analogues. At the same time, some developers, in order to justify the costs, “sew up” various additional software into their distributions. It can be quite harmless, but it can also be harmful. Each of us got into such a situation when, along with the program, some unnecessary browsers, toolbars and other evil spirits. Today we’ll talk about how to prohibit their installation into your system once and for all.

In most cases, when installing free software, the creators warn us that something else will be installed and offer a choice, that is, uncheck the boxes next to the items with the words "Install". But this is not always the case, and some careless developers "forget" to insert such a sentence. With them, we will fight.

We will perform all actions to ban with the help of snap , which is present only in editions of operating systems Pro and Enterprise ( and ) and Ultimate (Maximum). Unfortunately, in Starter and Home given console is not available.

Policy import

IN "Local Security Policy" there is a section called AppLocker, in which you can create various rules for the behavior of programs. We need to get to him.

At this stage, we need a file that contains executable rules. Below is a link where you can find Text Document with code. It needs to be saved in XML format, without fail in the editor. For the lazy there "lies" finished file and a description for it.

This document sets out rules to prevent the installation of software from publishers that have been seen to "slip" their products to users. It also contains exceptions, that is, those actions that can be performed by allowed applications. A little later we will figure out how to add our own rules (publishers).

Now for any programs from these publishers access to your computer is closed.

Adding Publishers

The list of the above publishers can be supplemented manually using one of the functions AppLocker. To do this, you need to get executable file or the installer of the program that the developer "sewn up" into the distribution. Sometimes you can do this only if you get into a situation where the application is already installed. In other cases, we simply search through a search engine. Consider the process with an example.

1. Right click on the section "Executable Rules" and choose the item "Create a new rule".

   

2. In the next window, click the button "Further".

   

3. Put the switch in position "Forbid" and again "Further".

   

4. Here we leave the value "Publisher". Click "Further".

   

5. Next, we need a link file, which is generated when reading data from the installer. Click "Review".

   

6. We find desired file and press "Open".

   

7. By moving the slider up, we ensure that the information remains only in the field "Publisher". This completes the setup, press the button "Create".

   

8. A new rule has been added to the list.

   

Using this technique, you can prevent the installation of any applications from any publishers, as well as, using the slider, a specific product and even its version.

Deleting rules

Removing executable rules from the list is done as follows: right-click on one of them (unnecessary) and select the item "Delete".

IN AppLocker there is also a function complete cleaning politicians. To do this, right-click on the section and select "Clear Policy". In the dialog box that appears, click "Yes".

Export Policy

This feature helps to migrate policies in the form XML file to another computer. At the same time, all executable rules and parameters are saved.

By using this document rules can be imported into AppLocker on any computer with console installed "Local Security Policy".

Conclusion

The information obtained from this article will help you permanently eliminate the need to remove various unnecessary programs and additions. Now you can safely use free software. Another use is to prevent other non-administrator users from installing programs on your computer.

Very often (usually this happens when installing illegal software), other advertising products in the form of unnecessary applications, toolbars, etc. In some cases, respectable developers warn us about this and give us the opportunity not to install them by unchecking them, such as when installing .

(As you can see in the screenshot above, in addition to the main application, we are also invited to install McAfee Internet Security and True Key by Intel Security)

But most often, extra utilities on the disk appear secretly or due to the inattention of the user himself. One way or another, in order to prevent such “intervention” in the future, today I will talk about how to prevent their subsequent penetration on a PC.

Unchecky - A program to remove unnecessary programs from a computer

If such utilities have already appeared, then there is only one way to get rid of them, namely, uninstall. This can be done both with internal Windows utilities and third-party ones, such as Ccleaner or Revo Uninstaller, etc. And another recommendation for fixing, so to speak - at the end of the procedure, I strongly advise you to also “go through” ADWCleaner to find and clean up other / remaining unwanted software.

Well, now let's move on to the main issue of our topic.

Perhaps that's all. In turn, I want to ask, what methods do you use? Please write your answers in the comments below the post. Thank you!