Hello everyone!
I have the following task: when my device (usb flash drives) appear in the system, allow only those applications (processes) that the user has approved to launch. I would like to know, is it better to use a custom mode (TerminateProcess) or via kernel mode (ZwTerminateProcess, CreateProcessNotifyEx, PsSetCreateProcessNotifyRoutineEx)? Or maybe there is another way? For example, the user allowed to start only Notepad, then the launch of any other program should be rejected.
I would go with PsSetCreateProcessNotifyRoutineEx.
This has worked on my solutions for years.
.> @Fernando_Roberto said:
I would go with PsSetCreateProcessNotifyRoutineEx.
This has worked on my solutions for years.
Thank you, Roberto, for your advice. I will move in this direction.