Created
May 5, 2026 14:57
-
-
Save jeremysimmons/e209e0ffbed50cc5c9a6369aa7ece903 to your computer and use it in GitHub Desktop.
Prevent Apps in Downloads and Desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Minimal SRP-style block: prevent executables from running from Downloads | |
| # Windows 11 Home: uses registry-backed Software Restriction Policy settings | |
| $base = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" | |
| # Create SRP policy base | |
| New-Item -Path $base -Force | Out-Null | |
| # Default: allow software unless explicitly blocked | |
| New-ItemProperty -Path $base -Name "DefaultLevel" -Value 0x00040000 -PropertyType DWord -Force | Out-Null | |
| New-ItemProperty -Path $base -Name "PolicyScope" -Value 0 -PropertyType DWord -Force | Out-Null | |
| New-ItemProperty -Path $base -Name "TransparentEnabled" -Value 1 -PropertyType DWord -Force | Out-Null | |
| New-ItemProperty -Path $base -Name "AuthenticodeEnabled" -Value 0 -PropertyType DWord -Force | Out-Null | |
| # File types SRP should treat as executable | |
| $exeTypes = @( | |
| "ADE","ADP","BAS","BAT","CHM","CMD","COM","CPL","CRT","EXE", | |
| "HLP","HTA","INF","INS","ISP","LNK","MDB","MDE","MSC","MSI", | |
| "MSP","MST","OCX","PCD","PIF","REG","SCR","SHS","URL","VB", | |
| "VBE","VBS","WSC","WSF","WSH","PS1","PSM1","PS1XML" | |
| ) | |
| New-ItemProperty -Path $base -Name "ExecutableTypes" -Value $exeTypes -PropertyType MultiString -Force | Out-Null | |
| # Disallowed rules live under CodeIdentifiers\0\Paths | |
| $pathsRoot = "$base\0\Paths" | |
| New-Item -Path $pathsRoot -Force | Out-Null | |
| function Add-DisallowedPathRule { | |
| param( | |
| [Parameter(Mandatory)] | |
| [string]$PathPattern, | |
| [string]$Description = "Blocked by local SRP policy" | |
| ) | |
| $guid = [guid]::NewGuid().ToString("B") | |
| $rulePath = Join-Path $pathsRoot $guid | |
| New-Item -Path $rulePath -Force | Out-Null | |
| New-ItemProperty -Path $rulePath -Name "ItemData" -Value $PathPattern -PropertyType String -Force | Out-Null | |
| New-ItemProperty -Path $rulePath -Name "SaferFlags" -Value 0 -PropertyType DWord -Force | Out-Null | |
| New-ItemProperty -Path $rulePath -Name "Description" -Value $Description -PropertyType String -Force | Out-Null | |
| } | |
| Add-DisallowedPathRule "%USERPROFILE%\Downloads\*" "Block execution from user Downloads" | |
| Add-DisallowedPathRule "%USERPROFILE%\Downloads\*\*" "Block execution from Downloads subfolders" | |
| Add-DisallowedPathRule "%USERPROFILE%\Desktop\*" "Block execution from user Desktop" | |
| Add-DisallowedPathRule "%USERPROFILE%\Desktop\*\*" "Block execution from Desktop subfolders" | |
| gpupdate /force | Out-Null | |
| Write-Host "Done. Log off and back on, or reboot, for policy to fully apply." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment