You can strict users from running programs in Windows using Program Blocker or AskAdmin freeware tools. But, if you want to restrict users from installing as well as running programs in Windows 10/8/7/Vista / XP / 2000 & Windows Server; you can do so by changing certain Group Policy settings that can control the behavior of the Windows Installer, prevent certain programs from running or restrict it via the Registry Editor.

How to disable or restrict the Windows Installer in Win 10 via Group Policy?

1. Click on Start button and type gpedit.msc on search.


2. Click on gpedit.msc from search to open the Group Policy Editor.

3. Navigate to the following:

Computer Configurations > Administrative templates > Windows Components > Windows Installer.

windows-installer3. From the right-hand side pane double-click on “Turn off Windows Installer”.


“This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. This setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.”

4. Click Enabled and Apply.

To make Windows 10 non-secured, you can configure the “Always install with elevated privileges”.

In the Group Policy Editor, navigate to the following:

User Configuration > Administrative Templates > Windows Components. Double click and configure “Always install with elevated privileges”.


“This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.

If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

If you disable or do not configure this policy setting, the system applies for the current user’s permissions when it installs programs that a system administrator does not distribute or offer.”

Disallow certain Windows applications

In the Group Policy Editor, navigate to the following:

User Configuration > Administrative Templates > System. From the right-hand side pane double click on “Don’t run specified Windows applications”. Enable it and under Options click Show. Enter the path of the application you wish to disallow; in my case : rstrui.exe.


This will disallow Windows Installer which is located in C:\Windows\System32\ folder from running.

Restricting any Program from being installed via Registry Editor

1. Open the Registry Editor by typing regedit.msc in search of Windows 10.

2. Navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun

3. Create a new String value with any name, e.g. 1 and set its value to the program’s EXE file.

create-a-new-string-valueSuppose you want to restrict rstrui.exe, then create a String value 1 and set its value to rstrui.exe. If you want to restrict more programs, then simply create more String values with names 2, 3 and so on and set their values to the program’s exe.