Stopping an application based on its executable

views:

answers:

Stopping an application based on its executable

I'd like to rig a service to run that detects when an application is trying to start, and based on its executable (I'll probably just hash the file and keep a list of blocked app hashes to keep it simple), stop it from executing all together. Ideally I'd like to accomplish this using C#, but I'd be open to using other platforms if it makes more sense to do so.

I'd thought about hooking into some sort of "process started/starting" event, and using the process ID of the started process to determine the path of the executable (I know how to do the second part, once I have the process ID), and then sending some sort of kill signal if the app is on the blocked list. I'd started investigating this process a while back, but the response I got to this question suggests a flaw in that approach.

Is this, indeed, not a feasible way of solving this problem? Can someone suggest a better route to take?

+1 A:

Windows does not provide a direct way to generate any kind of notification when a process is about to start. You can find out it got started, as shown in my post with the WMI code. Technically it is possible to inject a DLL into all running processes and detour the CreateProcess() API call. Short from this being potentially very destabilizing, it is also impossible to write code like that in C# language. You can't get the CLR initialized.

It isn't any kind of oversight that this kind of functionality isn't available. It would be a rather easily exploitable security hole.

Hans Passant 2010-02-17 16:04:59

So is my best bet to use WMI, note that the process has started, and then do a Process.Kill to shut it down? The reason I was reluctant to go that route was the delay that my WMI code has. It seems like it takes from 1-7 seconds or so before I get the notification that the application has started. Is this as good as I can really hope for, and is this a practical means of controlling which apps are allowed to run?

Mike Pateras 2010-02-17 16:22:36

Yeah, you can't do better. Fwiw, I wouldn't recommend doing this at all. Preventing certain processes from starting is a standard feature of Windows security, you assign the Execute right to users that should be allowed to start a program. That's an administrative feature, a service plays no role here.

Hans Passant 2010-02-17 16:28:54

Well, I don't necessarily want to always block an app. I'd like to do it conditionally. Perhaps based on time of day, running time, etc. Is it possible to modify those execution rights in code (agian preferably in a .Net service)? That sounds like a great solution. I've googled a bit, and will google some more, but do you know of any resources? And thank you for your help, here and earlier. Your WMI code was extremely helpful to me for some reporting functionality I was building.

Mike Pateras 2010-02-17 16:37:15

I'm coming up with surprisingly little on this. I'm going to put up a new question on the subject. Thanks again!

Mike Pateras 2010-02-17 16:55:18

+1 A:

See http://www.codeproject.com/KB/vista/api-hooks.aspx?msg=3327111 , http://www.codeproject.com/KB/threads/winspy.aspx and http://www.codeproject.com/KB/dotnet/objectspy.aspx

unclepaul84 2010-02-17 16:08:25

I know that Appinit_Dlls works well at shutting down the "unwanted" processes. I recently had to battle a virus that installed itself as one of those dlls and would auto-shut down any antivirus application. Furthermore all processes that loaded the virus dll monitor the registry and undo any changes to the AppInit_Dlls made by the user.

unclepaul84 2010-02-17 16:28:03

ansaurus

tags:

views:

answers:

Stopping an application based on its executable

related questions