I am sorry if this is a stupid question.
Can I do some thing in my filter driver which restricts the user to
install or uninstall any application/ software from the system . I know
about fail a irp_mj_write or irp_mj_create . But that I guess will be a
disaster .
So could it be some thing like we have some process or thread which is
only used for installation and uninstallation- and I fail that.
Any ideas ??
Regards
Anurag
how about removing the add/remove entry in the registry? or obscuring
access to it?
this wouldnt cover someone just deleting the directories though…
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 09 November 2004 13:38
To: Windows System Software Devs Interest List
Subject: [ntdev] Application Installation & Uninstallation
I am sorry if this is a stupid question.
Can I do some thing in my filter driver which restricts the user to
install or uninstall any application/ software from the system . I know
about fail a irp_mj_write or irp_mj_create . But that I guess will be a
disaster .
So could it be some thing like we have some process or thread which is
only used for installation and uninstallation- and I fail that.
Any ideas ??
Regards
Anurag
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I don’t think it’s a stupid question, but I think you’re in for a tough
time to actually prevent anyone from installing software on the machine and
still have a useable machine.
An application installation is no different from say copying an executable
file from one place to another, or uncompressing a zip file.
Both of which to a filter driver would just appear as read/write
operations.
Of course, failing create/write to any file called *.exe, *.dll or *.sys
would be one way to prevent installation. Failing deletion of .exe, .dll
and .sys would be a good idea too. Same with rename/move operations.
Some application installers write to the registry, but there’s no rule that
says that they HAVE to do that.
One way to prevent new applications from installing would be to prevent
“Program Files” directory from being written, but then not all program
install in “Program Files”.
It’s probably easier to have a anti-virus type approach to check for
suspicious types of code, rather than trying to prevent people from
installing applications in general. So if you don’t want people to
install/run Doom, check for a signature of Doom in the file being loaded
and fail it. But that of course wouldn’t work if there is a small
application that encrypts when “installing” and “decrypts” when loading it.
I think it’s perfectly possible to write such a “loader” program that just
fools an anti-run policy, but it would require a little bit more effort
than just dumping a CD of doom on the machine.
–
Mats
xxxxx@lists.osr.com wrote on 11/09/2004 01:37:48 PM:
I am sorry if this is a stupid question.
Can I do some thing in my filter driver which restricts the user to
install or uninstall any application/ software from the system . I
know about fail a irp_mj_write or irp_mj_create . But that I guess
will be a disaster .So could it be some thing like we have some process or thread which
is only used for installation and uninstallation- and I fail that.Any ideas ??
Regards
AnuragQuestions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT00006FF2
Ok where do we get add/remove entry in the registry?
I manage the deleting of directories by failing disposition-> delete and
hiding them.
thanks
anurag
-----Original Message-----
From: Rob Linegar [mailto:xxxxx@des.co.uk]
Sent: Tuesday, November 09, 2004 7:36 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Application Installation & Uninstallation
how about removing the add/remove entry in the registry? or obscuring
access to it?
this wouldnt cover someone just deleting the directories though…
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 09 November 2004 13:38
To: Windows System Software Devs Interest List
Subject: [ntdev] Application Installation & Uninstallation
I am sorry if this is a stupid question.
Can I do some thing in my filter driver which restricts the user to
install or uninstall any application/ software from the system . I know
about fail a irp_mj_write or irp_mj_create . But that I guess will be a
disaster .
So could it be some thing like we have some process or thread which is
only used for installation and uninstallation- and I fail that.
Any ideas ??
Regards
Anurag
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
http://www.google.com/search?hl=en&lr=&safe=off&q=registry+add+remove
http:
returns…
http://support.microsoft.com/kb/247501
http:tup/uninstall_registry_key.asp>
this is getting off topic for this list…
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 09 November 2004 14:43
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Application Installation & Uninstallation
Ok where do we get add/remove entry in the registry?
I manage the deleting of directories by failing disposition-> delete and
hiding them.
thanks
anurag
-----Original Message-----
From: Rob Linegar [mailto:xxxxx@des.co.uk]
Sent: Tuesday, November 09, 2004 7:36 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Application Installation & Uninstallation
how about removing the add/remove entry in the registry? or
obscuring access to it?
this wouldnt cover someone just deleting the directories
though…
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 09 November 2004 13:38
To: Windows System Software Devs Interest List
Subject: [ntdev] Application Installation & Uninstallation
I am sorry if this is a stupid question.
Can I do some thing in my filter driver which restricts the user
to install or uninstall any application/ software from the system . I
know about fail a irp_mj_write or irp_mj_create . But that I guess will
be a disaster .
So could it be some thing like we have some process or thread
which is only used for installation and uninstallation- and I fail that.
Any ideas ??
Regards
Anurag
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com —
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></http:>