Tech Tip: Prevent users from running Cmd.exe/Troubleshoot routers with pathping

Windows 2000 Professional: Prevent users from running Cmd.exe

The command console, Cmd.exe, provides a command-line interface for running console applications and built-in commands. Unfortunately, Cmd.exe is also available to users who can use it to launch Windows applications and accomplish tasks you might not want them performing.

You can prevent users from running Cmd.exe--and thus prevent them from starting and using a command console--with a simple registry change. Open the Registry Editor and set the value of the following key to 1 to disallow Cmd.exe but allow batch files, or to a value of 2 to disallow both Cmd.exe and batch files:


If this key doesn't exist on a given Windows 2000 computer, create the Windows\System key, create a DWORD value named DisableCMD in that key, and set its value as needed.

If a user attempts to open a console session with an account for which the value has been set, the console session opens and displays the message The Command Prompt Has Been Disabled By Your Administrator. The console closes when the user presses a key.

Another approach for restricting user access to Cmd.exe is to set NTFS permissions on the Cmd.exe file itself. This method allows you to restrict access on a user or group basis and can be easier to accomplish than setting registry values for multiple users. If you choose the registry route, export the key to a registry file, then apply that file through the users' logon script or other means.

Note: Editing the registry is risky. Before making any registry edits, be sure to back up the registry so you can restore it if something goes wrong.

Windows 2000 Server: Troubleshoot routers with pathping

If you've administered TCP/IP networks for very long, you're certainly familiar with the venerable ping command, which tests connectivity between two hosts. Ping is often the first tool to which administrators turn when they need to troubleshoot IP connections. Another is tracert, which tests connectivity along a path and can help determine the point of communication failure.

Windows 2000 adds a tool that combines the functions of ping and tracert. This tool, called pathping, sends packets to each router between two hosts and displays a summary report of the return packets it receives.

Pathping can be very useful in locating a router that's dropping packets or experiencing other problems. Perform a pathping to a host and analyze the contents of the Lost and Sent columns; a high loss rate for a given router is a good indicator that something is wrong with that router.

To view pathping's syntax, enter PATHPING /? at a console prompt.

Note: If you haven't installed any Windows 2000 service packs, the pathping documentation contains two errors: there is no -r switch, and the -t switch must be uppercase.