Windows Security Guide ยท Updated 2026

How to Block a Program from Running in
Windows 10 & Windows 11

A complete guide to preventing selected desktop apps, games, scripts, and installers from launching on a Windows PC.

๐Ÿ“– 9 min read ๐Ÿ–ฅ Windows 10 & 11 ๐Ÿ”’ App blocking โš™๏ธ Home / Pro / Enterprise
Overview

How to Prevent a Program from Opening in Windows

Windows lets you block a program in several different ways. You can prevent a specific .exe file from starting, restrict applications for a child account, deny execution from a folder, or only block the program's network access while still allowing it to open.

The correct method depends on what you want to achieve. For example, blocking a game for one standard user is different from enforcing application control on a business PC. It is also different from blocking a program from connecting to the internet.

๐Ÿšซ

Block launch completely

Use Software Restriction Policies, AppLocker, Registry restrictions, or NTFS permissions to stop the executable from opening.

๐Ÿ‘ค

Restrict a user account

Use Microsoft Family Safety or user-specific policies when the restriction should apply only to one person.

๐ŸŒ

Block network access only

Use Windows Defender Firewall when the program may run locally but must not access the internet or local network.

โ„น๏ธ
Important Difference A firewall rule does not stop a program from launching. It only blocks network traffic. To stop the app from opening, use Software Restriction Policies, AppLocker, Registry restrictions, or permissions.
Comparison

Best Ways to Block a Program in Windows 10 and Windows 11

Use this comparison table to choose the safest and most suitable method before changing Windows security settings.

Method Best For Windows Edition Strength
Software Restriction Policies Blocking desktop programs by path or hash Mostly Pro, Enterprise, Education interface Strong
AppLocker Advanced allow/deny rules for executables, installers, scripts, DLLs, and packaged apps Windows 10 and 11; best suited for managed or professional environments Strong
Microsoft Family Safety Child accounts, app limits, games, screen time Windows 10/11 with Microsoft accounts Account-based
DisallowRun Registry Policy Simple user-level blocking by executable file name Windows 10/11, including Home Basic
NTFS Permissions Denying access to one file or folder for standard users Windows 10/11 Useful but risky
Firewall Rule Blocking internet access for an app Windows 10/11 Does not block launch
โœ…
Recommended Choice For a normal desktop program, start with Software Restriction Policies on Windows Pro, Enterprise, or Education. Use Family Safety for child accounts and Firewall only when you want to block internet access.
Preparation

Before You Block an Application in Windows

Blocking the wrong executable may break a driver utility, backup tool, antivirus component, VPN client, updater, or business application. Before you create a restriction, identify the exact file path and make sure you can reverse the change.

Find the Program's EXE File Location

  1. Right-click the program shortcut on the desktop, Start menu, or taskbar.
  2. Select Open file location. If this opens another shortcut, right-click it again and choose Open file location one more time.
  3. Copy the full path to the executable, for example C:\Program Files\ExampleApp\ExampleApp.exe.
  4. Write down the file name, such as ExampleApp.exe, because some blocking methods use only the executable name.
๐Ÿ“
C:\Program Files\ExampleApp\ExampleApp.exe

Create a Restore Point or Backup First

If you plan to edit the Registry, change security permissions, or create broad policy rules, create a restore point first.

SystemPropertiesProtection.exe
Method 1

Block a Program from Running with Software Restriction Policies

Software Restriction Policies are one of the most practical built-in ways to block a specific executable in Windows. You can create a rule that marks a program as Disallowed, so Windows refuses to run it.

Windows 10 Pro Windows 11 Pro Enterprise / Education Home: no built-in policy editor UI

Open Local Security Policy

  1. Press Win + R.
  2. Type secpol.msc and press Enter.
  3. Go to Security Settings โ†’ Software Restriction Policies.
  4. If the folder is empty, right-click Software Restriction Policies and choose New Software Restriction Policies.
secpol.msc โ†’ Security Settings โ†’ Software Restriction Policies โ†’ Additional Rules

Create a Path Rule to Block an EXE

  1. Open Additional Rules.
  2. Right-click an empty area and select New Path Rule.
  3. In Path, enter the full executable path, for example C:\Program Files\ExampleApp\ExampleApp.exe.
  4. Set Security level to Disallowed.
  5. Click Apply and OK.
  6. Restart the computer or run gpupdate /force.
gpupdate /force
๐Ÿ’ก
Tip A path rule is easy to understand, but it depends on the file staying in the same location. If the user can rename, move, or reinstall the program somewhere else, consider a hash rule or AppLocker.

Create a Hash Rule for a Specific File

A hash rule blocks the exact file even if it is renamed or moved. It is useful for a single executable, but the rule may stop working after the program is updated because the file hash changes.

  1. Open Software Restriction Policies โ†’ Additional Rules.
  2. Right-click and select New Hash Rule.
  3. Click Browse and select the executable file.
  4. Set the security level to Disallowed.
  5. Apply the rule and test it from the affected user account.
Method 2

Use AppLocker to Block Executables, Scripts, Installers, and Microsoft Store Apps

AppLocker is a more advanced Windows application control feature. It can create allow or deny rules for executable files, scripts, Windows Installer packages, DLL files, and packaged apps. It is best for business PCs, shared computers, labs, kiosks, and managed devices.

โš ๏ธ
Use Carefully AppLocker can lock users out of important apps if rules are too broad. Create default rules first, test in audit mode when possible, and avoid applying deny rules to administrators unless you are sure.

Enable the Application Identity Service

AppLocker depends on the Application Identity service. Without it, rules may not be enforced correctly.

  1. Press Win + R, type services.msc, and press Enter.
  2. Find Application Identity.
  3. Set Startup type to Automatic.
  4. Click Start, then click OK.

Create an AppLocker Deny Rule

  1. Press Win + R, type gpedit.msc, and press Enter.
  2. Open Computer Configuration โ†’ Windows Settings โ†’ Security Settings โ†’ Application Control Policies โ†’ AppLocker.
  3. Right-click Executable Rules and choose Create Default Rules. This prevents accidentally blocking normal Windows and Program Files applications.
  4. Right-click Executable Rules again and choose Create New Rule.
  5. Select Deny and choose the user or group affected by the restriction.
  6. Select rule type: Publisher, Path, or File hash.
  7. Choose the program you want to block, finish the wizard, and apply the policy.
  8. Run gpupdate /force or restart Windows.
Rule Type When to Use It What to Watch Out For
Publisher Signed applications where you want to block a vendor, product, or version range Works only when the file has a usable digital signature
Path Programs installed in a known folder path A moved or copied executable may bypass the rule
File hash Unsigned tools or one exact executable file Updates change the hash and require a new rule
Method 3

Block or Limit Apps with Microsoft Family Safety

If the goal is to prevent a child account from using a game or app, use Microsoft Family Safety. It is designed for app limits, screen time, activity reports, web filters, and family-managed devices.

Set App and Game Limits

  1. Open family.microsoft.com in a browser or use the Microsoft Family Safety app.
  2. Sign in with the organizer Microsoft account.
  3. Select the family member.
  4. Open Apps and games or App and game limits.
  5. Turn on limits for the app or game you want to restrict.
  6. Set the allowed time to a very small value or define a schedule when the app is not allowed.

Good For

  • Child accounts and family devices.
  • Games and apps that should be limited by schedule.
  • Parents who prefer a cloud dashboard instead of local policy editing.

Limitations

  • Not intended as a strict enterprise application control system.
  • Requires Microsoft accounts and correct family group setup.
  • Does not replace SRP, AppLocker, or firewall rules for technical enforcement.
Method 4

Block Programs with the DisallowRun Registry Policy

The DisallowRun policy can block programs by executable file name for the current user. This is a simple option on Windows editions where the Local Group Policy Editor is not available, but it is not as strong as AppLocker or Software Restriction Policies.

โš ๏ธ
Registry Warning Editing the Registry incorrectly can cause problems. Create a restore point first and export the key before changing it.

Enable DisallowRun for the Current User

  1. Press Win + R, type regedit, and press Enter.
  2. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
  3. Create a DWORD (32-bit) Value named DisallowRun.
  4. Set DisallowRun to 1.
  5. Create a subkey named DisallowRun under the Explorer key.
  6. Inside that subkey, create string values named 1, 2, 3, and so on.
  7. For each string value, enter the executable file name to block, such as notepad.exe or game.exe.
  8. Sign out and sign back in, or restart Windows.

Example REG File

This example blocks notepad.exe and game.exe for the current user.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="notepad.exe"
"2"="game.exe"

How to Remove the Registry Block

To unblock the programs, delete the executable names from the DisallowRun subkey or set the DisallowRun DWORD value to 0.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000000
Method 5

Use NTFS Permissions to Stop a Program from Opening

You can also prevent a standard user from launching a program by removing or denying access to the executable file. This method works at the file system level, but it must be used carefully because permission mistakes can break updates or make the application hard to repair.

Deny Execute Permission for a Standard User

  1. Find the program's .exe file.
  2. Right-click it and select Properties.
  3. Open the Security tab.
  4. Click Edit.
  5. Select the standard user or group you want to restrict.
  6. Use Deny carefully for Read & execute, or remove that user's permission if the interface allows it safely.
  7. Click Apply and test with the affected account.
โ›”
Avoid Broad Deny Rules Do not deny permissions to Everyone, Users, or Administrators unless you fully understand the consequences. A broad deny rule can override allowed permissions and make recovery harder.

When NTFS Permissions Make Sense

Method 6

Block a Program's Internet Access with Windows Defender Firewall

If you only need to stop a program from going online, create an outbound firewall rule. The program will still open, but Windows Defender Firewall will block its network connections.

Create an Outbound Firewall Rule

  1. Press Win + R, type wf.msc, and press Enter.
  2. Select Outbound Rules.
  3. Click New Rule.
  4. Select Program and click Next.
  5. Choose This program path and browse to the executable.
  6. Select Block the connection.
  7. Apply the rule to Domain, Private, and Public profiles if you want it blocked everywhere.
  8. Name the rule clearly, for example Block ExampleApp outbound access.
wf.msc โ†’ Outbound Rules โ†’ New Rule โ†’ Program

PowerShell Example

You can also create the outbound block rule from an elevated PowerShell window.

New-NetFirewallRule -DisplayName "Block ExampleApp" `
  -Direction Outbound `
  -Program "C:\Program Files\ExampleApp\ExampleApp.exe" `
  -Action Block

To remove the rule later, use:

Remove-NetFirewallRule -DisplayName "Block ExampleApp"
Verification

How to Test, Troubleshoot, and Unblock a Program

After creating a restriction, test it from the same account that should be affected. Do not test only from an administrator account, because many rules are user-specific or group-specific.

How to Test the Block

  1. Restart Windows or sign out and sign in again.
  2. Open the affected user account.
  3. Try to start the program from the desktop, Start menu, File Explorer, and Run dialog.
  4. If you created a firewall rule, open the program and check whether online features fail to connect.
  5. Check Event Viewer if AppLocker or policy rules do not behave as expected.

Why the Program Still Opens

Problem Likely Cause Fix
The app opens from another folder Only one path was blocked Use a hash rule, publisher rule, or block all known install paths
The app opens after an update The executable changed Update the hash rule or use a publisher/path rule instead
The rule works for one user but not another The rule is user-specific Check the user or group selected in the rule
Firewall rule does not stop launch Firewall blocks traffic, not execution Use SRP, AppLocker, Registry restrictions, or permissions

How to Unblock the Program

FAQ

Frequently Asked Questions About Blocking Programs in Windows

Q Can I block a program without uninstalling it? โ–ผ
Yes. You can keep the program installed and block it from running with Software Restriction Policies, AppLocker, Registry restrictions, NTFS permissions, or account-based controls.
Q What is the easiest way to block a program in Windows Home? โ–ผ
For Windows Home, the simplest built-in options are Microsoft Family Safety for child accounts, the DisallowRun Registry policy for basic user-level blocking, or NTFS permissions for a specific standard user. Windows Home does not include the normal Local Group Policy Editor interface.
Q Does Windows Firewall block a program from opening? โ–ผ
No. Windows Firewall can block inbound or outbound network traffic, but it does not prevent the executable from starting. Use application control policies or permissions if you need to stop the program from launching.
Q Can a user bypass a path-based block? โ–ผ
Sometimes, yes. If the user can copy, rename, reinstall, or run another copy of the executable from a different location, a simple path rule may not be enough. Use a hash rule, publisher rule, AppLocker, or tighter permissions when stronger enforcement is required.
Q Should I block programs by deleting their EXE files? โ–ผ
Usually no. Deleting executable files can break uninstallers, updates, repair tools, and file associations. It is better to use policy rules, permissions, Family Safety, or a firewall rule depending on your goal.

Final Thoughts

The best way to block a program from running in Windows depends on the goal. For a specific desktop application, Software Restriction Policies are usually the most practical built-in method. For managed environments, AppLocker offers stronger and more flexible application control. For children, use Microsoft Family Safety. For internet access only, use Windows Defender Firewall.

Before applying any restriction, confirm the exact .exe path, avoid blocking Windows system files, and keep an administrator account available so you can reverse the rule if something goes wrong.