To my knowledge, you cannot determine that a file is going to be executed from IRP_MJ_CREATE.
The method we are using is to hook IRP_MJ_ACQUIRE_SECTION_FOR_SYNCHRONIZATION, and check Data->Iopb->Parameters.AcquireSectionForSynchronization.PageProtection for PAGE_EXECUTE.
Thanks, Rod! I was not using that method, and I see from my logs that I could prevent most (all?) of these from even opening by checking Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess for FILE_EXECUTE
In case it’s not obvious - EXECUTE access is a necessary, but not sufficient condition. Some applications can (and do) ask for all sorts of things that they don’t need. On the other had, this might not matter for you, but pre-create is a lot nice place to be when you want to do something.
I quickly found that to be the case, Rod. I already knew that many apps request write access when they don’t need it. Seems they also request execute access when they don’t intend to execute.
Thanks for the advice.
@rod_widdowson said: EXECUTE access is a necessary, but not sufficient condition.