Article ID: 319458
Article Last Modified on 5/18/2007
APPLIES TO
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
This article was previously published under Q319458
SYMPTOMS
If you configure a Software Restriction policy to restrict access to a 16-bit program such as Command.com or Edit.com, users can still start the program even though they are not permitted to run it.
CAUSE
Commands that run in the Virtual DOS Machine (Ntvdm.exe) are not recognized by Software Restriction policies.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
------------------------------------------------------
09-Apr-2002 00:50 5.1.2600.42 898,560 Kernel32.dll
WORKAROUND
To work around this problem, restrict access to Ntvdm.exe by using access control lists (ACLs) at the file-system level. Note that using this method blocks all 16-bit code.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.
MORE INFORMATION
Note that you cannot use Software Restriction policies to prevent code from being run outside the Win32 subsystem. For example, user can run the same command from the POSIX subsystem. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
101270 Disabling the POSIX Subsystem
Additional query words: kbSecurity safer
Keywords: kbhotfixserver kbqfe kbbug kbfix kbsecurity kbwinxpsp1fix KB319458
