I've been researching this topic for a while, I found many posts from
people trying to resolve similar problems but I am yet to find a
solution that truly works (e.g. is not just an idea.)
I need to prevent specific programs from executing *after* there is a
request for their execution. I don't need this for the purposes of
controlling access to executables, so a solution that is based on
access rights and simply prevents the user from being able to start a
program is not applicable.
What I need is to intercept the process creation sequence, and if
necessary interfere with it so that the process terminates cleanly, as
if the first thing it did is to call ExitProcess.
I can think of two general ways this can be accomplished:
1) Somehow kill the process after it was created but before it could
manage to do anything.
2) Somehow make the system start another executable instead of the
requested one. That is, when the user attempts to run program A, run
program B instead.
Some people have suggested that 1) can be done in the
PsSetLoadImageNotifyRoutine callback, by calling ZwTerminateProcess if
needed. I tried to implement this strategy, but ZwTerminateProcess
returns INVALID_HANDLE (I am calling it with the handle passed to the
I also read this post:
It suggests replacing the man thread function with ExitProcess. While I
haven't tried it, thread functions and ExitProcess have different
arguments and I would think that swapping one for the other is at least
My preference would be to get 2) to work. One reason is that when the
requested program should not run, what I really want is to create the
implession that it ran and returned whatever exit code I choose. Being
able to quietly substitute my own executable puts me in control, so I
can do whatever I choose.
Has anyone done something similar? While I do want to find a working
solution, I'd appreciate any ideas or suggestions, even if they're not
tested in practice.