Article ID: 319458 - View products that this article applies to.
This article was previously published under Q319458
If you configure a Software Restriction policy to restrict access to a 16-bit program such as Command.com or Edit.com, users can still start the program even though they are not permitted to run it.
Commands that run in the Virtual DOS Machine (Ntvdm.exe) are not recognized by Software Restriction policies.
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389The English version of this fix should have the following file attributes or later:
(http://support.microsoft.com/kb/322389/EN-US/ )How to Obtain the Latest Windows XP Service Pack
Date Time Version Size File name ------------------------------------------------------ 09-Apr-2002 00:50 5.1.2600.42 898,560 Kernel32.dll
To work around this problem, restrict access to Ntvdm.exe by using access control lists (ACLs) at the file-system level. Note that using this method blocks all 16-bit code.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.
Note that you cannot use Software Restriction policies to prevent code from being run outside the Win32 subsystem. For example, user can run the same command from the POSIX subsystem. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/101270/EN-US/ )Disabling the POSIX Subsystem