Block any program at specific paths from being started











up vote
0
down vote

favorite












I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?










share|improve this question






















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49

















up vote
0
down vote

favorite












I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?










share|improve this question






















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?










share|improve this question













I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?







windows






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 at 8:18









iBug

2,20441639




2,20441639












  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49




















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49


















How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
– Kamil Maciorowski
Nov 20 at 8:23




How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
– Kamil Maciorowski
Nov 20 at 8:23












@KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
– iBug
Nov 20 at 8:38




@KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
– iBug
Nov 20 at 8:38












Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
– Kamil Maciorowski
Nov 20 at 8:42




Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
– Kamil Maciorowski
Nov 20 at 8:42












@KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
– iBug
Nov 20 at 8:49






@KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
– iBug
Nov 20 at 8:49












1 Answer
1






active

oldest

votes

















up vote
0
down vote













You will need to write your own anti-exec program.



There are various articles to be found on hooking process creation in the kernel,
but they all require installing a driver, which is not very portable and will
encounter driver signature problems on later Windows versions.



The simplest solution would be to write a small DLL to be injected into all
processes, which will, in the context of the process, get its path and
terminate it immediately if coming from this path.



Injecting the DLL is done using regedit and navigating to
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



See the Microsoft article
Working with the AppInit_DLLs registry value.



A skeleton for such a DLL may look like:



BOOL
WINAPI
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
TCHAR acModule[MAX_PATH];
switch (dwReason) {
case DLL_PROCESS_ATTACH:
GetModuleFileName(NULL,acModule,MAX_PATH);
to_be_written(acModule);
break;
default:
break;
}
return TRUE;
}





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376891%2fblock-any-program-at-specific-paths-from-being-started%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    You will need to write your own anti-exec program.



    There are various articles to be found on hooking process creation in the kernel,
    but they all require installing a driver, which is not very portable and will
    encounter driver signature problems on later Windows versions.



    The simplest solution would be to write a small DLL to be injected into all
    processes, which will, in the context of the process, get its path and
    terminate it immediately if coming from this path.



    Injecting the DLL is done using regedit and navigating to
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
    On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



    See the Microsoft article
    Working with the AppInit_DLLs registry value.



    A skeleton for such a DLL may look like:



    BOOL
    WINAPI
    DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
    TCHAR acModule[MAX_PATH];
    switch (dwReason) {
    case DLL_PROCESS_ATTACH:
    GetModuleFileName(NULL,acModule,MAX_PATH);
    to_be_written(acModule);
    break;
    default:
    break;
    }
    return TRUE;
    }





    share|improve this answer



























      up vote
      0
      down vote













      You will need to write your own anti-exec program.



      There are various articles to be found on hooking process creation in the kernel,
      but they all require installing a driver, which is not very portable and will
      encounter driver signature problems on later Windows versions.



      The simplest solution would be to write a small DLL to be injected into all
      processes, which will, in the context of the process, get its path and
      terminate it immediately if coming from this path.



      Injecting the DLL is done using regedit and navigating to
      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
      On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



      See the Microsoft article
      Working with the AppInit_DLLs registry value.



      A skeleton for such a DLL may look like:



      BOOL
      WINAPI
      DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
      TCHAR acModule[MAX_PATH];
      switch (dwReason) {
      case DLL_PROCESS_ATTACH:
      GetModuleFileName(NULL,acModule,MAX_PATH);
      to_be_written(acModule);
      break;
      default:
      break;
      }
      return TRUE;
      }





      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote









        You will need to write your own anti-exec program.



        There are various articles to be found on hooking process creation in the kernel,
        but they all require installing a driver, which is not very portable and will
        encounter driver signature problems on later Windows versions.



        The simplest solution would be to write a small DLL to be injected into all
        processes, which will, in the context of the process, get its path and
        terminate it immediately if coming from this path.



        Injecting the DLL is done using regedit and navigating to
        HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
        On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



        See the Microsoft article
        Working with the AppInit_DLLs registry value.



        A skeleton for such a DLL may look like:



        BOOL
        WINAPI
        DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
        TCHAR acModule[MAX_PATH];
        switch (dwReason) {
        case DLL_PROCESS_ATTACH:
        GetModuleFileName(NULL,acModule,MAX_PATH);
        to_be_written(acModule);
        break;
        default:
        break;
        }
        return TRUE;
        }





        share|improve this answer














        You will need to write your own anti-exec program.



        There are various articles to be found on hooking process creation in the kernel,
        but they all require installing a driver, which is not very portable and will
        encounter driver signature problems on later Windows versions.



        The simplest solution would be to write a small DLL to be injected into all
        processes, which will, in the context of the process, get its path and
        terminate it immediately if coming from this path.



        Injecting the DLL is done using regedit and navigating to
        HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
        On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



        See the Microsoft article
        Working with the AppInit_DLLs registry value.



        A skeleton for such a DLL may look like:



        BOOL
        WINAPI
        DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
        TCHAR acModule[MAX_PATH];
        switch (dwReason) {
        case DLL_PROCESS_ATTACH:
        GetModuleFileName(NULL,acModule,MAX_PATH);
        to_be_written(acModule);
        break;
        default:
        break;
        }
        return TRUE;
        }






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 20 at 20:18

























        answered Nov 20 at 14:10









        harrymc

        248k10257546




        248k10257546






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376891%2fblock-any-program-at-specific-paths-from-being-started%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?