===========================================
Preventing Someone from logging into System:
Counteracting W.S. 's way
===========================================
by kurt_der_koenig

About a couple weeks ago White Scorpion posted a tut on how to elevate your rights in Xp (go here to see it, http://www.antionline.com/showthread...hreadid=264025 .)
It was a nice one at that, very useful. But what about protecting ourselves against it.
Especially when we have users under us and don't want them to snoop around. I will try to
show you certain steps to couteract such elevations. Nothing brand new here but maybe an
overview to help us in need.

Preventing the use of RUN:

This is one step to prevent the automatic running of cmd.exe, or any application for that
matter by use the run in the start menu. While this will not prevent the use of the command
prompt it will help stem the automatic use of it. Remember to back up your registry as
always. The steps are as follows:::

1> Go to start>run (ironic isn't )

2> type Regedit

3> Go to HKey_Current_User\Software\Microsoft\ Windows\CurrentVersion\Policies\Explorer

4> Create a DWORD by right clicking on the panel and by selecting new/DWORD

5> Name this DWORD NoRun and give it the value of one (the number one! ex 1)

Remember to do this in the account of the user you want this to effect. Of course, if you do
while in your account then it will only effect you and not the other users.

Preventing the use of CMD.EXE

This is the winner here. While disabling run can prevent the user from querying the
cmd.exe off the bat, it does not prevent them from finding the cmd.exe and runing it to
their happiness. Same thing here as the last, editing the registry here again. And as before
make sure you do this in their account not yours.

1> Go to start>run

2> type Regedit

3> Go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

4> Create a DWORD <method same as before> and name it DisableCMD

5> give it the value of one (1)

While this eliminates the possiblities down it is not completely finished. The user
can still use their creation of batch files (.bat) to dump commands. (i.e. at 10:30
/interactive taskmgr then naming it with the extention of .bat) The same goes for this as
the last prevention ( preventing cmd.exe ). But instead of giving the value of 1, you will
use 2. This will also block cmd.exe along with the useage of batch files.

To automate this create a simple registry file. Creating this can also help you fix this if
your user has changed or deleted this by puting this in the start up(change the permissions
so they can not delete it).

Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD="2"
[HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
 "NoRun"="1"

link(source learned from)::::
http://www.windowsitpro.com/Windows/...834/38834.html