This approach will never work reliably, no matter what. All you get is
security through obscurity, anyway. Security should control *capabilities*,
and the name of an executable is not a capability, nor is it an identity.
I can’t count the number of public “kiosk” machines that I have encountered
that do what they can to block access to certain programs / functionality /
etc., but which can be trivially bypassed by stupid shell tricks.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Eugene Lomovsky
Sent: Monday, August 01, 2005 12:27 PM
To: Windows File Systems Devs Interest List
Subject: SPAM-LOW: Re:[ntfsd] Beginner Question.
Greetings mortal, Don!
You wrote on Mon, 1 Aug 2005 10:52:22 -0400:
DB> Ok,
DB> For most calls to the callback from
DB> PsSetImageLoadNotifyRoutine, are made in the context of the initial
DB> thread of the process. It is messy but terminating that thread
DB> will kill the process before it can do anything.
DB> It is claimed, though I have not encountered it that there are
DB> cases where you are in another process (or system) context. A
DB> safer way than above is to have a service that can open the process
DB> and call
DB> TerminateProcess on it. The service calls into the driver with a
DB> number of
DB> IOCTL’s that pend till a process you wish to terminate appears, then
DB> you complete them in the callback from PsSetImageLoadNotifyRoutine
DB> with the process ID returned as part of the data.
What’s about .cmd, .bat, .pif, .dll (.fon and yet .com from VDM)? I didn’t
experiment with
this function (you will see later why). Are the all threads have
THREAD_TERMINATE access?
Don’t forget about PsSetImageLoadNotifyRoutine’s “The system registers up to
eight such
load-image callbacks.” ONLY 8! What do you do when
PsSetImageLoadNotifyRoutine failed?
BSOD? I can’t rely on a case and this function is a toy for me at present
time… 
Eugene.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@stonestreetone.com
To unsubscribe send a blank email to xxxxx@lists.osr.com