deviceTRUST 19.2 is now available and includes the new macOS Client and an updated iOS Client. See the release notes for more information.

deviceTRUST Command Processor (dtcmd.exe)

The deviceTRUST Command Processor (dtcmd.exe) is used to interact with the deviceTRUST Host Service (dthost.exe) from within triggered processes or Batch, PowerShell and VBScript scripts. It can be used to:

  • Abort the logon process.
  • Control access to the shell.
  • Stops application that should not be running.
  • Controls access to applications by changing Windows AppLocker policy.
  • Raise auditing events.
  • Query the properties of the current session.
  • Display popup messages.
  • Perform changes to the registry.
  • Synchronize all properties.

The deviceTRUST Command Processor can be called by a local administrator to test drive certain DTCMD.EXE commands interactively before adding it to the final script. It is necessary to enable the target DTCMD.EXE functionality from a Local Policy or from a Microsoft Active Directory Group Policy. Launch the relevant policy editor and navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST. The following DTCMD.EXE commands are controlled by a separated policy:

  • ACCESS – The ability to execute this option is configurable by policy. To enable the functionality, navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST\SHELL ACCESS and configure ‘ALLOW DEVICETRUST TRIGGERS TO CONTROL ACCESS TO THE VIRTUAL SESSION’ and ‘DEFINE WHO CAN CONTROL ACCESS TO THE VIRTUAL SESSION’.
  • APPLOCKER – The ability to execute this option is configurable by policy. To enable the functionality, navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST\APPLICATION CONTROL and configure ‘ALLOW DEVICETRUST TRIGGERS TO CHANGE APPLICATION AVAILABILITY’ and ‘DEFINE WHO CAN CHANGE APPLICATION AVAILABILITY’.
  • APPTERMINATE – The ability to execute this option is configurable by policy. To enable the functionality, navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST\APPLICATION CONTROL and configure ‘ALLOW DEVICETRUST TRIGGERS TO CHANGE APPLICATION AVAILABILITY’ and ‘DEFINE WHO CAN CHANGE APPLICATION AVAILABILITY’.
  • POPUP – The ability to execute this option is configurable by policy. To enable the functionality, navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST\POPUPS and configure ‘ALLOW DEVICETRUST TRIGGERS TO DISPLAY POPUP WINDOWS’ and ‘DEFINE WHO CAN DISPLAY POPUP WINDOWS’.
  • REG – The ability to execute this option is configurable by policy. To enable the functionality, navigate to COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\DEVICETRUST\REGISTRY CONTROL and configure ‘ALLOW DEVICETRUST TRIGGERS TO CHANGE REGISTRY VALUES’ and ‘DEFINE WHO CAN CHANGE REGISTRY VALUES’.

DTCMD.EXE gets installed as part of the deviceTRUST host software and resides within the installation path: %PROGRAMFILES%\DEVICETRUST\HOST\BIN and can be called without the path declaration.

dtcmd Options
dtcmd Options

Option: ABORT

Aborts an in-progress remote logon, halting the processing of the operating system logon tasks. An optional message can be displayed to the user. This command must be run from a deviceTRUST Logon Trigger and the method used to block logon must be set to Blocking within the Shell Access policy.

ABORT [/message:<msg>] 
    [/timeout:<t>]

Option: ACCESS

Controls access to the desktop or published applications. If the operation is DENY, access to desktop sessions are denied by showing a fullscreen blocking window, and published applications are hidden and shown a popup window. The message field is required when denying access, and can be supplied with an optional title to be shown to the user and included in the Windows Event Log. A timeout can be supplied which represents the number of seconds to wait before disconnecting or logging off the user. If /interactive is specified, interaction with the users shell is allowed. The ability to execute this option is configurable by policy.

ACCESS /operation:ALLOW | DENY 
    [/message:<msg>] 
    [/title:<title>] 
    [/timeout:<t>] 
    [/interactive] 
    [/session:<id>]

Option: APPLOCKER

Controls access to applications by creating Windows AppLocker rules. A name must be supplied to identify the rule. The operation can be ALLOW to allow access, DENY to deny access or DELETE to delete an existing rule. The target field can be either EXECUTABLE (default) to target an executable file, DLL to target a dll, INSTALLER to target an msi, mst or msp file, or SCRIPT to target a ps1, cmd, bat, vbs or js file. Either path, publisher or one or more hash fields must be supplied to define the application that the rule targets. One or more excludepath, excludehash or excludepublisher may also be specified to exclude applications from the rule. The path fields can specify a file or a directory which may include wildcards. The hash field takes the form SourceFilename;SourceFileLength;HashData;HashType, with HashType defaulting to SHA256. The publisher field takes the form PublisherName;ProductName;BinaryName;LowVersion;HighVersion, with all but PublisherName defaulting to * unless specified. The AppLocker rule is deleted on disconnect when /persist is set to CONNECTION (the default), or on logoff when set to SESSION. The ability to execute this option is configurable by policy.

APPLOCKER /name:<name> 
    /operation:ALLOW | DENY | DELETE 
    [/target:EXECUTABLE | DLL | INSTALLER | SCRIPT] 
    [/path:<path>] 
    [/hash:<hash>] 
    [/publisher:<publisher>]  
    [/exceptpath:<path>] 
    [/excepthash:<hash>] 
    [/exceptpublisher:<publisher>] 
    [/persist:CONNECTION | SESSION | PERMANENT]
    [/session:<id>]

Option: APPTERMINATE

Terminates applications that should not be running within the current or specified session. If /policy is specified, applications are identified by analysing the current AppLocker policy. Alternatively, a list of process id’s can be specified within the pid field, or a list of process names within the process field. The timeout field specifies the time period in seconds that is given to the user to gracefully close their applications and defaults to 60 seconds. A message and optional title will be shown to the user during this time. If /autoclose is specified, applications will be sent an auto-close request and may shutdown immediately. The ability to execute this option is configurable by policy.

APPTERMINATE /message: <message> 
    [/title:<title>] 
    [/policy] 
    [/pid:<pid>] 
    [/process:<process>] 
    [/timeout:<t>] 
    [/autoclose] 
    [/session:<id>]

Option: EVENT

Raises an event to the event log with the specified message. The level can be specified as either info, warning or error. An optional category can be supplied for analysis purposes. The ability to execute this option is limited to triggered or elevated processes.

EVENT /message:<msg> 
    [/level:<level>] 
    [/category:<cat>] 
    [/session:<id>]

Option: GET

Queries the properties of the current or supplied session. Properties can be filtered by the optional wildcard expression. If the values argument is specified, then only the property values are returned. The ability to execute this option against a different session is limited to elevated processes.

GET [/filter:<wildcard>] 
    [/values] 
    [/session:<id>]

Option: POPUP

Displays a message to the user of the current or specified session by showing a popup message, which optionally includes the title. The message can be dismissed by the user and does not restrict access to the session. A timeout can be supplied which represents the number of seconds to wait before automatically dismissing the message. The popup can be shown as an Action Center notification, with an optional image. The ability to execute this option is configurable by policy.

POPUP /message:<msg> 
    [/title:<title>] 
    [/timeout:<t>] 
    [/session:<id>] 
    [/notification] 
    [/image:<image>]
Note:
  • The optional image which can be added by the [/image:<image>] command needs to be a .jpg or .png file with the maximum size of 150x150 pixels.

Option: REG

Performs one or more changes within HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE for the user identified by the session id. If no session id is specified, the current user is assumed. The changes are transactional therefore all succeed or all fail. A name can optionally be specified to undo the changes in a future call. One or more /update or /delete arguments must be specified. The update field takes the form Name;Value;Type;Subpath where Subpath can optionally extend the path argument, and type can be one of REG_DWORD, REG_SZ or REG_EXPAND_SZ. The delete field takes the form Name;Subpath where Subpath can optionally extend the path argument. The registry changes are reverted to their previous state when called with /undo, on disconnect when /persist is set to CONNECTION (the default), or on logoff when set to SESSION. The ability to execute this option is configurable by policy.

REG /path:<path>
    [/name:<name>] 
    [/update:<update>] 
    [/delete:<delete>] 
    [/persist:CONNECTION | SESSION | PERMANENT]
    [/undo] 
    [/session:<id>]
Note:
  • To apply quotes within the [/update:<update>] argument, replace the quotes with the %QUOTE% variable.

Option: SYNC

Synchronises all properties, ensuring that all properties are available on the current or specified session, and optionally that the corresponding Logon or Reconnect triggers have been launched. An optional timeout in seconds can be supplied, which defaults to 30 seconds. The ability to execute this option against a different session is limited to privileged processes.

SYNC [/session:<id>] 
    [/timeout:<t>]
    [/triggers]