Windows Terminal Server – Three Ways to Disable AVG Tray Icon via Group Policy

I scoured the internet forever and a day to find a way to disable the AVG tray icon in a Windows Terminal Server environment because as with most people, even though to make any major changes in the AVG settings it does require an admin password, I didn’t want my users to be able to toy around in there even, let alone run a bunch of malicious scans and slow the server down for everybody or gain access to view our AVG Business license key. I even contacted AVG technical support and they didn’t have a solution to my problem and I find it extremely hard to believe that I am the only person out there in the world facing this issue.

Well, today I finally figured out a way to disable the AVG tray icon via Group Policy using Software Restriction Policies. By creating a rule to prevent the running of the “avgui.exe” process, you can essentially disable the tray icon. As long as you have your group policies structured so that your users OU get a different group policy than say the admins OU, then the admins can still get into AVG, run any scans, or change any settings inside AVG. I guess I should mention that you could use this for any OU for that matter that you didn’t want to have access to the AVG UI, it’s not just limited to Remote Desktop Servers. Pretty sweet!

Inside your custom group policy, navigate to:

User Configuration > Windows Settings > Security Settings > Software Restriction Policies

If this is the first time setting up a Software Restriction Policy, you will have to right-click on the container and select “New Software Restriction Policies”.

Then drill down to Additional Rules and you should see a couple of automatically created allow rules for the System and Program folder directories, right click on Additional Rules and select “New Path Rule…”.

Under Path, enter the following and set the Security Level to Disallowed:

For a 32 Bit OS

%PROGRAMFILES%\AVG\AVG2013\avgui.exe

For a 64 Bit OS

%PROGRAMFILES(x86)%\AVG\AVG2013\avgui.exe

-OR-

02/18/2015 UPDATE – If you don’t want to enable a Software Restriction Policy, I’ve discovered another way to keep the AVGUI from running using the DisallowRun key in the Registry. To achieve this via Group Policy, you can do the following:

Inside your custom group policy, navigate to the location:

User Configuration > Preferences > Windows Settings > Registry

Add these two keys:

Right-click Registry > New > Registry-Item

Action: Update
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: DisallowRun
Value type: REG_DWORD
Value data: 1
Base: Hexadecimal

Action: Update
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Value name: 1
Value type: REG_SZ
Value data: avgui.exe

-OR-

02/19/2015 UPDATE – The last and easiest method by far, which basically does the exact same thing as the previous entry and I think probably edits the same registry keys, is to use the Group Policy admin template called “Don’t run specified Windows applications.

Inside your custom group policy, navigate to the location:

User Configuration > Policies > Administrative Templates > System > Don't run specified Windows applications
Set it to Enabled and enter avgui.exe

That’s it! Pretty simple.

02/25/2016 UPDATE – With the latest version of AVG 2016, they’ve moved the locations of the files and now there’s several more annoying AVG processes to disable. The new locations of the processes are as follows:
avgui.exe

%PROGRAMFILES(x86)%\AVG\AV\avgui.exe

avguix.exe

%PROGRAMFILES(x86)%\AVG\Framework\Common\avgui.exe

avgui.exe

%PROGRAMFILES(x86)%\AVG\AV\avuirunnerx.exe

avguix.exe

%PROGRAMFILES(x86)%\AVG\Framework\Common\avguirnx.exe

Leave a Reply