Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Select an option

  • Save jeremysimmons/e209e0ffbed50cc5c9a6369aa7ece903 to your computer and use it in GitHub Desktop.

Select an option

Save jeremysimmons/e209e0ffbed50cc5c9a6369aa7ece903 to your computer and use it in GitHub Desktop.
Prevent Apps in Downloads and Desktop
# Minimal SRP-style block: prevent executables from running from Downloads
# Windows 11 Home: uses registry-backed Software Restriction Policy settings
$base = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
# Create SRP policy base
New-Item -Path $base -Force | Out-Null
# Default: allow software unless explicitly blocked
New-ItemProperty -Path $base -Name "DefaultLevel" -Value 0x00040000 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $base -Name "PolicyScope" -Value 0 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $base -Name "TransparentEnabled" -Value 1 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $base -Name "AuthenticodeEnabled" -Value 0 -PropertyType DWord -Force | Out-Null
# File types SRP should treat as executable
$exeTypes = @(
"ADE","ADP","BAS","BAT","CHM","CMD","COM","CPL","CRT","EXE",
"HLP","HTA","INF","INS","ISP","LNK","MDB","MDE","MSC","MSI",
"MSP","MST","OCX","PCD","PIF","REG","SCR","SHS","URL","VB",
"VBE","VBS","WSC","WSF","WSH","PS1","PSM1","PS1XML"
)
New-ItemProperty -Path $base -Name "ExecutableTypes" -Value $exeTypes -PropertyType MultiString -Force | Out-Null
# Disallowed rules live under CodeIdentifiers\0\Paths
$pathsRoot = "$base\0\Paths"
New-Item -Path $pathsRoot -Force | Out-Null
function Add-DisallowedPathRule {
param(
[Parameter(Mandatory)]
[string]$PathPattern,
[string]$Description = "Blocked by local SRP policy"
)
$guid = [guid]::NewGuid().ToString("B")
$rulePath = Join-Path $pathsRoot $guid
New-Item -Path $rulePath -Force | Out-Null
New-ItemProperty -Path $rulePath -Name "ItemData" -Value $PathPattern -PropertyType String -Force | Out-Null
New-ItemProperty -Path $rulePath -Name "SaferFlags" -Value 0 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $rulePath -Name "Description" -Value $Description -PropertyType String -Force | Out-Null
}
Add-DisallowedPathRule "%USERPROFILE%\Downloads\*" "Block execution from user Downloads"
Add-DisallowedPathRule "%USERPROFILE%\Downloads\*\*" "Block execution from Downloads subfolders"
Add-DisallowedPathRule "%USERPROFILE%\Desktop\*" "Block execution from user Desktop"
Add-DisallowedPathRule "%USERPROFILE%\Desktop\*\*" "Block execution from Desktop subfolders"
gpupdate /force | Out-Null
Write-Host "Done. Log off and back on, or reboot, for policy to fully apply."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment