There are lots of FAT(16|32) partitions in the world, so for many
purposes NTFS permissions aren’t enough. There are mechanisms in both
2k+ and 9x to be notified on process creation. You could then examine
the image on disk (crc32 or md5 or similar, depending on performance
considerations) and terminate the process if necessary. You can
actually catch all PE images this way. Check out
PsSetLoadImageNotifyRoutine for 2k. I don’t remember exactly which 9x
service, but I think we hooked the Create_Thread VMM message. My
application just did process accounting, but I suppose it would be
possible to terminate too.
-sd
On Fri, 2002-08-09 at 07:47, Art Baker wrote:
Assuming the .EXE lives on an NTFS partition, the easiest way to
allow/prevent execution is to attach a suitable access-control list to the
file.Writing a driver for this purpose seems a bit like recreating something that
the operating system will already do for you…Regards,
Art Baker> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Anand
> Sent: Friday, August 09, 2002 3:02 AM
> To: NT Developers Interest List
> Subject: [ntdev] Is it possible to prevent any .exe file from getting
> executed?
>
>
> Hello all,
> Is it possible to prevent any .exe file from getting executed?I want to
> monitor the any exe file execution.What exactly happens when I double
> click the .exe file? Can we make a poll mode driver which will detect the
> start of .exe file and it will terminate that process at that point of
> time.I know that prevention of execution of exe file is possible if I
> remove the .exe file entry from the registry.But can we do it
> programatically I mean through drivers?I am using winDbg 6.0.
> Anand.
>
> —
> You are currently subscribed to ntdev as: xxxxx@nfr.com
> To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntdev as: xxxxx@positivenetworks.net
To unsubscribe send a blank email to %%email.unsub%%
–
Steve Dispensa
Chief Technology Officer
Positive Networks