We have an environment that is very locked down. We are considering putting the Run command back into the users Start bar for ease of IT use. Can anyone think of any possible exploit/security reason not to do this? Other than minimizing the potential of a user messing around with the Run commands.

asked 10/03/2011 11:51

CCB-Tech's gravatar image

CCB-Tech ♦♦

9 Answers:
You could keep the run command out and just navigate manually to the command window. Or always use the task manager and do file new task and work from there.


pdantro's gravatar image


The only exception I can think of is that the MRU will keep the last 26 entries. May want to clean that upon reboot if you do not want user's seeing where IT is going...

answered 2011-10-03 at 09:04:40

CanusRufus's gravatar image


As [pdantro] notes, there are alternatives.  That said, you should be able to set it up so IT users have the Run command while everyone else does not.

answered 2011-10-03 at 09:06:32

paulmacd's gravatar image


@ pdantro -

Oh I know, that's what we do now. After all, everyone's commands are run in the security context of the user. I was just asked if there is any good reason not to enable the run box. IE, we are sacrificing convenience and speed, but what are we gaining by leaving it off?

@ CanusRufus

That's a good point! Any idea how to do that via GPO?

@ paulmacd

That's exactly what I told my boss, but his question was what is gained by not enabling it.

answered 2011-10-03 at 09:08:54

CCB-Tech's gravatar image


I have yet to see a group policy article on this however I do not control that part of the environment that I am in. Our network does not clear this list although this has been brought up in meetings before.
You could perform a logon script type scenario and see if that helps.
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f

answered 2011-10-03 at 09:10:20

CanusRufus's gravatar image


The run staement for IT user's becomes an issue if you're in a networked environment that supports a remote management solution. ex: Windows remote assistance and/or VLC

answered 2011-10-03 at 09:20:23

CanusRufus's gravatar image


"...what is gained by not enabling it."
A little bit of security, but how much depends a lot on what sort of authority users have over their own systems.  If you otherwise trust your users, there's probably no harm.  Anyone who's going to do somethng sneaky from the command line is probably going to know how to do it some other way.

answered 2011-10-03 at 09:22:15

paulmacd's gravatar image


If you have limited user accounts, then you don't have to be afraid. because they have limited access to system commands.
However you can add some limitations and open Run for them.
For example our university used to leave Run open but applied below restrictions:

1) Set permissions for all drives on the systems except the last drive for the users to save their data. (write denied)
2) Disable Task manager via GPO
3) Disable Display properties via GPO
4) Disable Regedit/Regedt32/gpedit via GPO
5) Disable Creating shortcuts via right click menu (New>Shortcut)
6) Disable Navigation from Addressbar.
7) Setting a password more that 25 characters(!) for administrator (This makes bruthforce impossible)

However this is very bad and inconvenient, but you can take some of them only!

answered 2011-10-03 at 09:28:54

kpax77's gravatar image


Thanks! We enabled it as our environment is very locked down. So no real gain by blocking it.

answered 2011-10-03 at 10:05:02

CCB-Tech's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 10/03/2011 11:51

Seen: 253 times

Last updated: 10/17/2011 05:31