There is no built-in way to hide selective programs in Add/Remove
Programs.it's all or nothing for the most part.
One option you have is to use Group Policy and hide Add/Remove Programs all
together (under User Configuration - Administrative Templates - Control
Panel - Add/Remove Programs: Disable Add/Remove Programs). This will remove
Add/Remove Programs from Control Panel for the affected users.
Alternatively, you can use the Hide Change or Remove Programs page policy
(located in the same section of Group Policy) to hide the list of
applications that are installed. Or, you can use the Hide Add/Remove Windows
components page policy (located in the same section of Group Policy) to hide
the Add/Remove Windows Components button in Add/Remove Programs.
Having said that, if you really need to hide selective applications there is
a way around the above. Start by opening up Registry Editor by clicking
Start, Run, type Regedit and click OK. In the tree window expand
HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows, CurrentVersion, and
Uninstall. Now you will need to do a little searching under the Uninstall
key. Start by selecting the first key under the Uninstall key (or if you
think you see the key for the application you want to hide, select that key
instead). With the key selected, look in the right details pain for an entry
with the Name "DisplayName." If this is not the application you want to hide
or there is no DisplayName entry, try the next key under Uninstall. Once you
have found the application you want to hide by confirming the DisplayName,
note the name of the key under the Uninstall key (i.e. what you have
selected in the left tree pane). Be aware that the application must be
installed on the computer that you open Registry Editor on. If the
application is not installed, you will need to move to a computer that does
have the application installed and perform the above steps. Also be sure
that you don't accidentally change anything - you can permanently damage the
system by using Registry Editor incorrectly.
At this point you should now know the registry path to the application you
want to hide. For example the application called My Important App may be
listed as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyApp
Next, create a group in the domain called something like "Hide Sensitive
Apps." Once you have the group created, open the Default Domain Group Policy
Object (or some other Group Policy Object linked at the domain level). It is
important that you apply this at a high level - it must apply to all
*computers* in the domain in order to hide the sensitive applications on all
computers. Expand Computer Configuration, Windows Settings and then Security
Settings. Right-click the Registry folder and then select Add Key.
At this point you can select the path in one of two ways. If the application
is installed on the computer you are currently on, in the tree window expand
MACHINE, SOFTWARE, Microsoft, Windows, CurrentVersion, and Uninstall. Then,
select the key of the application you want to hide in add or remove
programs. Alternatively, if the application is not installed on the computer
you are on but it is installed on others, you can type the path in the
Select key textbox. For example I would enter
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyApp for the
application I listed earlier (note HKEY_LOCAL_MACHINE is substituted with
just MACHINE).
When you click OK a permissions dialog will appear. By default the Everyone
group will appear in the list of users/groups with permission - you need to
remove the Everyone group. Next, click Add and select the Hide Sensitive
Apps group you created earlier. Deny the Hide Sensitive Apps group the Read
permission (which will also check the Execute permission). Also, be sure
that you do not have any other permissions checked under the Allow column.
When you click OK you will be prompted to select how the permissions should
be propagated. The Propagate inheritable permissions to all subkeys option
should be selected by default. Click OK. Repeat the above steps for each
application you want to hide.
With the Hide Sensitive Apps group configured and the permissions set, add
the users and groups you want to hide sensitive applications from to the
Hide Sensitive Apps group. Be sure not to add Administrators to this group
directory or indirectly - if you do, admins will not be able to see the
sensitive applications in Add/Remove programs. Once Group Policy refreshes
on the client computers (and the users logoff and back on), users that are
members of Hide Sensitive Apps will no longer see the sensitive applications
in Add/Remove programs.
Even after configuring all that, you still must be aware that this does not
prevent users from uninstalling applications by other means - it only hides
the listing in Add/Remove programs.
------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)
Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
