bypass restricted command prompt for none-privileged users


The Windows Command Prompt (sometimes called the DOS prompt) is a tool that allows administrators to invoke system-wide commands to make administration easier and more efficient. The average user has little use for this tool.

many administration prevents users to have a command prompt enabled for their access, as to be considered good practice for system hardening.disabling cmd prompt could be perfect prevention for intruders.    let's consider that you are required to conduct a test against a system and figured out that CMD is disabled and you only allowed to browser files only. that's really challenging and you can't run your commands easily, and using bat scripts is not enough and may produce several errors and mistakes because it is still not an interactive mode to troubleshoot if scripts executed or caused an error.

prevent access into cmd

first, let's disable the cmd and prevent users from using it by following these steps.

  • execute gpedit.msc from run dialog image
  • navigate into  User Configuration>Administrative Templates>System. Make sure to click on the System folder rather than expanding it. image
  • double click on an entry labeled Prevent Access to the Command Prompt. and select Enabled option image image
  • after clicking on Apply button, you will figure out that cmd is disabled and may the following message will displayed every time you start CMD image  

bypass disabled/restricted cmd

may writing custom made BAT scripts helps to execute stored commands, but that's not a solution while doing internal testing, and you want to use some other tools which may requires interactive prompt.

so what I did is I have built a small GUI app using Pascal which allows you to run that commands through cmd and capture the output of it and redirect the content into visual component (TMemo). in this way, you have enough small undetected tool to accomplish your audit with spending so much time writing BAT scripts. image

you can grab the ready compiled executable by downloading it from here, and if you are interested to check out the code i have uploaded also the source code into the blog repo.

Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects


To stay informed with all the news, please subscribe!