Option to block applications from being installed through a blocklist or a group policy on regedit

[gelatinbomb]

Checklist

• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

I usually have a variety of software designed to block the access to distracting webpages so being able to install another browser kind of bypass that. By adding a way to block these problematic apps I can prevent myself from trying that. It can be used also as a kind of "parental control" if you want. In my case I use these tools for myself.

Describe The Solution. Why is it needed?

I think the best way to implement this is by setting a regedit key on the Registry. Then all the "values" added to that key would be blocked by Chocolatey. Maybe when you perform the command choco this one checks first maybe a file with the data before it does the search of the package and if the name of the package gets found there it can show something like "program is blocked from being installed by the Administrator"

Honestly this and a good software blocker should be enough since after I configure the key in the registry I can block the regedit executable with one of those an wouala!

Additional Context

I have heard Chocolatey is friendly with Administration software so I guess it might be possible to implement this. Now as you can see by the context of the post I don't want this for a company os a school or something like that, it's a personal thing for end users.

If you want an example of what I mean you can check the Google or Firefox group policies. Check the urlblocklist one. It's the closest to what I mean for the proposed feature.

https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::URLBlocklist

Related Issues

No response

[JPRuskin]

Though I can see your potential use-case, there are a few problems (to me) with your suggestion.

Mainly, Chocolatey is designed to (except with some business features that match your requirement, when combined with restricting available packages as suggested on your Reddit thread) be run as an elevated process - if you're running Chocolatey as a home user, you're very likely an admin on your machine.

If you're an admin on your machine, you can undo any of these restrictions (for the record, the Windows Registry can be modified dozens of ways - not just by using regedit - and, of course, you can just install your restricted software using a regular installer unless you're also blocking all sites that allow you to download it).

Jokingly speaking, if you're able to undo any of these restrictions, but choose not to - you can just choose not to install this other software. Voila! That said...

If you want to just put a layer of obstruction to reduce the temptation, can I recommend not using an administrator account as your day-to-day account?

This is actually a recommended practice, for various reasons. Your account will then (mostly) not be able to install the restricted software, but you'll be able to use UAC prompts or runas to update or install when you need to - there will just be an extra gate where you can ask yourself "should I be doing this?"

I'm going to convert this to a discussion for now, so folk can discuss it - or we can continue discussion on the Reddit thread.

[gelatinbomb]

I actually use a normal user instead of admin but as you said I need the admin to update my apps and I also block all the sites where I can potentially download it. I tend to do this type of blocking so when I have to upgrade my apps I don't have the temptation to install any distracting application, as you can imagine doing that with choco is basically just at one command on the terminal so I'm in that double edge case where upgrading my apps is super easy but also is kind of easy to install distracting apps.
I don't know what you would think about this? For now I have a kind of temporal solution to fix this by blocking the execution of software that have certain names, not perfect but it's something.

[JPRuskin]

I actually use a normal user instead of admin

Nice one! Glad to hear you're doing that already!

upgrading my apps is super easy but also is kind of easy to install distracting apps

A lesson I had to learn a while ago (several times over, to be honest) is that sometimes you find a problem you can solve with cool scripting, or a neat program, or by enforcing policy across a domain. I love a cool script, and will find any excuse to go write one.

Sometimes, implementing that technical solution would waste a lot of time and not work as well as just talking to the people (or person) in question and saying "please don't do this." Or, in more extreme cases, making them sign something that says "I'm not going to do this, and here are the penalties for doing so."

There are a lot of ways you can enforce this upon yourself (hook scripts, maintaining a repository that only contains software you allow, scripting the update process so you don't have to do it and tempt yourself). I will stress that I think you may find working on self-control the best course of action (and I say that as someone with pretty poor self-control).

Again, anything you do (/implement technically) you can undo - so unless you work on that you're never going to solve this.

So, assuming that hasn't helped, let's briefly go into some of those suggested solutions:

• Self-maintained repository
  • You could use something like Cloudsmith, Nexus Repository, or a folder on your disk. These are all pretty simple to deploy or install.
  • With an appropriate script, you could ensure that they regularly contained the latest version of packages that are already installed on your computer (and no others)
  • If you then removed the Chocolatey Community Repository from your Choco installation and added that one, you would then only be able to upgrade existing packages without additional effort.
  • Downside: You'd still be able to specify the CCR to install arbitrary packages, or push new packages into your repository.
• Hook scripts
  • You could write a pre-install hook-script that contains a throw if the package name matches whatever you want. This is very customisable for you, but presumably you'd want to restrict it so your user couldn't edit or view it.
  • Potential downside: you'd probably be able to change that back.
• Script the update process (or use a third party tool, e.g. ChocoButler)
  • This would handle updating your existing packages, but not have an easy (tempting) path to install new ones
  • You wouldn't need to invoke choco, but...
  • Downside: You'd still be able to invoke choco, so would need to not do that.