How to Block EXE Files in Vulnerable Folders from Running in Windows 11 or 10?


Now, every Windows user installs an Antivirus to safeguard their computers. However, it is not enough to protect your computer. And it would be best if you took more precautions to defend your computers from online malware threats. But, you can make your PC security more robust by blocking EXE files from some vulnerable folders such as Temp, AppData, etc.

Despite all proper means, there’s still a chance of getting infected. For example, if malware manages to enter your system by exploiting one of the various temporary folders. Your OS provides that to install new applications, unzip compressed archives, store temp data, etc.

“C:\Windows\Temp” works like a launchpad for viruses and malware. Other risky folders are the following:-

  • %USERPROFILE%\AppData\Local\ and all its subfolders.
  • %USERPROFILE%\AppData\Roaming\ and all its subfolders.

Already all these folders are meant for storage and not for executables to run. Finding a way to prevent potentially harmful .exe files from running from them would be an excellent extra layer of defense.

We will guide you through blocking .exe files from running on Windows client or Windows Server by applying Software Restriction Policies in this risewindows article.

How to Block EXE Files in Vulnerable Folders from Running in Windows 11 or 10?

To block running EXE files from vulnerable folders on Windows 11 or 10, do the following:-

Step 1. At first, open Local Group Policy Editor (Windows 11/10 Home editors will need to enable gpedit.msc on their computer).

Step 2. Now, when the Local Group Policy Editor window appears on your PC, so browse to the following path in the left side pane:-

Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies

Step 3. Then, right-click on the Software Restriction Policies folder. Select New Software Restriction Policies in the context menu.

Step 4. After that, Windows will create some new subfolders when you’re done. Right-click on the Additional Rules and choose New Path Rule.

Step 5. Next, in the “New Path Rule” window that appears, enter the path of the executable file that you want to stop from running. Ensure to put the *.exe at the end to block only executable files.

Step 6. Then, press Apply.
Step 7. Finally, hit OK.

We suggest you to block block the following:-

  • C:\Windows\Temp\*.exe
  • C:\Windows\Temp\*\*.exe
  • %USERPROFILE%\AppData\Local\*.exe
  • %USERPROFILE%\AppData\Local\*\*.exe
  • %USERPROFILE%\AppData\Roaming\*.exe
  • %USERPROFILE%\AppData\Roaming\*\*.exe
After it’s done, this will block most potentially unsafe executables from running on your computer, including those coming from archive attachments opened using the Windows built-in zip support.
Suppose you want to allow a .exe file from the blocked folder for some reason. Create a “New Path Rule” by selecting the Unrestricted option in the drop-down menu “Security level.”

That’s it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.