---
title: "Locking the kill switches: BIOS, Task Manager, and admin"
description: "An admin can force-quit a blocker, edit the hosts file, or kill its task in seconds. The single move that locks all of those at once, on Mac and Windows."
url: https://tkot.com/journal/lock-bios-task-manager-and-admin-settings/
canonical: https://tkot.com/journal/lock-bios-task-manager-and-admin-settings/
author: "Arya Stark"
published: 2026-06-07
updated: 2026-06-07
category: "Guides"
tags: ["bios", "admin", "task manager", "tamper resistance", "block porn"]
lang: en
---

# Locking the kill switches: BIOS, Task Manager, and admin

> **TL;DR** Force-quitting from Activity Monitor or Task Manager, killing a process from the command line, editing the hosts file, changing the registry, these are all admin-level actions, which means the single highest-leverage lock is removing your own admin rights and running daily life as a standard user, with the admin password held by someone you trust. That one change, plus a tamper-resistant blocker like TKO'T over the top, closes most computer kill switches at once. Add a BIOS or firmware password for the settings below the OS.

On a computer, almost every way to kill a blocker shares one prerequisite: administrator rights. Force-quit it from Activity Monitor or Task Manager, end its process from a terminal, edit the hosts file, change a registry key, uninstall it outright, each of those is something only an admin account can do. That is the good news hiding in the bad: you do not have to lock a dozen separate kill switches, you have to revoke the one permission they all depend on. A tamper-resistant blocker like [TKO'T](/#download) raises the floor, free, but the structural move underneath it is the same on every machine, stop being your own administrator. Defense-only throughout: this names the switches to lock them, never to use them.

## The one move that closes most doors

Create a second account that holds the admin rights, give its password to someone you trust, and demote your daily account to a standard user. On a Mac that is done in [Users & Groups settings](https://support.apple.com/guide/mac-help/change-users-groups-settings-mtusr001/mac); on Windows it is the difference between a [standard and administrator local account](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts). The effect is sweeping, because a standard account cannot:

- force-quit or end a protected process that is configured to require admin rights,
- uninstall system-level software,
- edit the hosts file or system network settings,
- change the registry's protected keys,
- approve a new configuration profile or disable an existing one.

All of those bypasses, gone in a single setting change, because the account simply lacks the authority to perform them. Day to day you barely notice; the system prompts for the admin password on the rare occasions something legitimate needs it, which is exactly when a held password becomes a five-minute conversation instead of a silent click. This is the spine of [the full Mac lockdown](/journal/how-to-block-porn-on-a-mac/), and it is the most important paragraph on this page.

## Do you still need to lock Task Manager or Activity Monitor individually?

Mostly no, and that is the point: if the blocker is built to require admin rights to be force-quit, a standard account cannot kill it from Task Manager, Activity Monitor, or a command line regardless of whether those tools are open. Locking the tools themselves becomes belt-and-suspenders. There are managed-policy ways to hide Task Manager or restrict the command line on Windows, and they are reasonable extra friction on a heavily locked device, but they are the second layer. The account boundary is the wall; tool restrictions are the trim. Spend your effort on the boundary first, and a [self-healing blocker](/journal/tamper-resistant-porn-blocker-that-survives-weak-moments/) that restarts when force-quit covers the rest.

## The BIOS layer, for what lives below the OS

Admin rights govern the operating system, but some settings sit beneath it, and that is the BIOS or firmware layer's job. A BIOS or UEFI password protects the firmware settings and, together with a locked boot order, stops the [external-boot and live-USB routes](/journal/close-safe-mode-and-boot-level-bypass-routes/) that would otherwise sidestep the OS entirely. "Set a BIOS password and throw the key away" is the right instinct with one correction: do not throw it away, hand it to the same trusted person. Thrown-away is brittle (you will eventually need it for a legitimate repair and be stuck); held-by-someone-else is durable, the unlock exists but not in your pocket, which is the whole [commitment-device principle](https://pubmed.ncbi.nlm.nih.gov/24777472/) in one keystroke.

## The honest ceiling

Say it plainly, as every defense page here does: an administrator with physical access, time, and full determination can reset a BIOS, reinstall an OS, or rebuild the machine. These locks do not aim at the determined engineer with a free afternoon; they aim at the 1 a.m. version of you with five restless minutes, and against that opponent they are decisive. You do not need a vault. You need the kill switches to require a password you deliberately do not have, so the quick bypass becomes a slow, witnessed, sober-headed process, which is exactly the kind an urge cannot complete. Pair the account boundary and the BIOS password with a screen-level blocker for normal use, and the computer stops offering easy exits.

## Frequently asked questions

### How do I stop myself from force-quitting the blocker in Activity Monitor or Task Manager?

Remove your own admin rights: run daily life as a standard user with the admin password held by someone you trust, and use a blocker configured to require admin rights to be force-quit. A standard account then cannot end the protected process from Activity Monitor, Task Manager, or a command line. TKO'T adds self-healing on top, so even a successful force-quit gets restarted.

### How do I block Command Prompt and PowerShell so I can't kill the blocker's task?

The reliable fix is upstream: a standard (non-admin) account cannot end a protected process from the command line regardless of whether the shell is available, so the account boundary does the real work. Windows also offers managed-policy ways to restrict the command line as extra friction on a locked device, but treat that as the second layer behind removing admin rights.

### How do I set a BIOS password to lock settings and throw the key away?

Set a BIOS or UEFI password and lock the boot order to the internal drive, but hand the password to a trusted person rather than destroying it, you will eventually need it for a legitimate repair, and held-elsewhere gives the same protection without the brittleness. With firmware locked, the settings beneath the operating system stop being a bypass route.

### Do I really need to lock Task Manager if I'm already a standard user?

Usually not, the standard-account boundary already prevents ending a protected, admin-required process, so locking Task Manager is belt-and-suspenders rather than essential. It is reasonable extra friction on a heavily locked device, but do not mistake it for the main defense. Removing admin rights is the wall; restricting individual tools is the trim around it.

### Can an admin just undo all of this anyway?

If you keep your own admin rights, yes, instantly, which is the whole reason to hand them to someone else. With the admin and BIOS passwords held elsewhere, the kill switches require a credential you deliberately do not have, turning a ten-second bypass into a slow, witnessed process. A determined person with physical access and time can still rebuild the machine; the urge with five minutes cannot.

---

Source: https://tkot.com/journal/lock-bios-task-manager-and-admin-settings/
Author: Arya Stark
