Need to Remove or Block Steps Recorder(psr.exe)

s.routray · October 1, 2025, 12:13pm

Hi All,

I’m working on a requirement to block the Steps Recorder (psr.exe) on Windows machines. Since it’s a protected system file, removal isn’t feasible, but blocking access is a viable approach.

I’ve successfully tested the blocking manually using the following commands via CMD:
takeown /f “C:\Windows\System32\mstsc.exe”
icacls “C:\Windows\System32\mstsc.exe” /grant Administrators:F
icacls “C:\Windows\System32\mstsc.exe” /deny Users:(RX)

However, when I try to implement the same script via BigFix, the action completes with exit code 0, but the file remains accessible to standard users. Below is the BigFix action script I used:
waithidden cmd.exe /c takeown /f “C:\Windows\System32\mstsc.exe”
waithidden cmd.exe /c icacls “C:\Windows\System32\mstsc.exe” /grant Administrators:F
waithidden cmd.exe /c icacls “C:\Windows\System32\mstsc.exe” /deny Users:(RX)

Could someone please help me identify what might be going wrong or suggest a more reliable method to block psr.exe via BigFix?

JasonWalker · October 1, 2025, 2:17pm

You’ll need to disable wow64 redirection in the actionscript, since BigFix uses 32-bit mode by default.

Something like this would likely work

action uses wow64 redirection false
waithidden cmd.exe /c takeown /f "C:\Windows\System32\mstsc.exe"
waithidden cmd.exe /c icacls "C:\Windows\System32\mstsc.exe" /grant Administrators:F
waithidden cmd.exe /c icacls "C:\Windows\System32\mstsc.exe" /deny Users:(RX)

SLB · October 1, 2025, 3:00pm

Are you sure you are blocking the right ? Shouldn’t “mstsc.exe” be “psr.exe”?

Another possible option is an app lock (I’m not sure if OS upgrades could reset custom applied ACLs).

Similar to the process described here, I applied the same steps to HKLM and this prevents me running psr on my WIn11 build. You could do that as an action script with detection relevance that a value with the data psr.exe doesn’t already exist.

SLB · October 1, 2025, 3:58pm

Some possible detection and remediation options catering for if there are existing reg values being used by the system

Relevance 1
windows of operating system

Relevance 2
not exists value "DisallowRun" whose (it as integer = 1) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" of native registry

Relevance 3
not exists key "DisallowRun" whose (exists value whose (it as string as lowercase = "psr.exe") of it) of key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" of native registry

Actionscript

// Get current highest disallow value if it exists and increment by 1
if {exists (names of values of keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" of native registry as integer)}
	parameter "NextValue" = "{(maximum of (names of values of keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" of native registry as integer) + 1) as string}"
else
	parameter "NextValue" = "1"
endif

// Create psr.exe app lock
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]" "DisallowRun"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]" "{parameter "NextValue"}"="psr.exe"

action requires restart "PSR_Blocked"