Group Policy Limits software running

Run: gpedit. msc
 
Open: Computer Configuration-WINDOWS Settings-Security Settings-soft limit policy-right-click to create a soft limit policy-select other rules-
 
-Create a path rule
 
Rule 1
Path :*
Security level: Not Allowed
Description: you do not need to fill it out.
 
(This rule prohibits all programs from running)
 
The second rule:
Path: % HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot %
Security level: unrestricted
Description: you do not need to fill it out.
 
Meaning: WINDOWS Directory files are excluded from the first restriction.
 
Article 3 rules:
Path: % HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot % *. exe
Security level: unrestricted
Description: you do not need to fill it out.
 
Meaning: WINDOWS Directory programs are excluded from the first restriction and can be run.
 
Article 4 Rules:
 
Path: % HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot % System32 \ *. exe
Security level: unrestricted
Description: you do not need to fill it out.
 
Meaning: The system program is excluded from the first restriction and can be run.
 
Article 5 Rules:
Path: % HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ProgramFilesDir %
Security level: unrestricted
Description: you do not need to fill it out.
 
Meaning: exclude the ProgramFiles Directory, which is not subject to the first restriction and can be run.
 
Article 6 rules:
Path: *. lnk
Security level: unrestricted
 
Meaning: there is no restriction on shortcuts (Note: The shortcuts of prohibited programs cannot be run)
 
Now, run the following command: gpupdate/force to refresh the Group Policy or restart or cancel the group. Now, you can use a bot or disk magnetic machine, it cannot run. (Note that the program files can run in the WINDOWS directory, SYSTEM32 directory, and ProgramFiles)
 
 
Charged: After the above group policies are set, if you want to install software, please temporarily add two rules
% Temp % Not Limited (User variables are not limited to ensure normal software installation)
% TMP % is not restricted (the directory for storing temporary files is not limited, so the software can be installed properly)
 
After the installation is complete, delete these two rules to avoid Trojans or virus unrestricted in the temporary IE folder.
 
 
 
 
You can also make it more powerful:
* Not Allowed
% HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot % *. exe not allowed
% HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRoot % System32 \ *. exe not allowed
% HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ProgramFilesDir % *. exe not allowed
 
Then all system programs and the legal programs you need are excluded one by one.
 
This will never be poisoned (unless you have to set the virus as unrestricted)
 
 
 
Someone may ask: It is very tiring to reinstall the system frequently.
The answer is that it is not troublesome. After you set it successfully, a Registry will be generated under C: \ WINDOWS \ system32 \ GroupPolicy \ Machine. pol file, which is the setting file of the Group Policy. After you copy the file to another disk, create a new software restriction policy next time you reinstall the file. The content does not need to be input any more and save the saved Registry. copy the pol file to C: \ WINDOWS \ system32 \ GroupPolicy \ Machine.