Block any program at specific paths from being started











up vote
0
down vote

favorite












I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?






windows







share|improve this question






















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49

















up vote
0
down vote

favorite












I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?






windows







share|improve this question






















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?






windows







share|improve this question













I want to block any program at a specific full-path name from being executed.



For example, if D:foo.exe is in the blacklist, any program renamed and moved to that path will not run. If renamed or moved to something or somewhere else, then the program may run if other conditions allow (ACL, etc.).



Is there a solution that will work across all versions starting from Vista (NT 6.0)? Additionally, is there any solution specific to Windows 10? If so, what is the "minimum required" version (e.g. v1507)?






windows




windows






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 at 8:18









iBug

2,20441639




2,20441639












  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49




















  • How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
    – Kamil Maciorowski
    Nov 20 at 8:23










  • @KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
    – iBug
    Nov 20 at 8:38










  • Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
    – Kamil Maciorowski
    Nov 20 at 8:42










  • @KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
    – iBug
    Nov 20 at 8:49


















How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
– Kamil Maciorowski
Nov 20 at 8:23




How about creating a placeholder D:foo.exe? With ACL so it cannot be overwritten, removed, executed etc.
– Kamil Maciorowski
Nov 20 at 8:23












@KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
– iBug
Nov 20 at 8:38




@KamilMaciorowski Good idea. That's not applicable in my case because the drive may be formatted, or other way that the ACL could be overridden programatically.
– iBug
Nov 20 at 8:38












Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
– Kamil Maciorowski
Nov 20 at 8:42




Is there some X behind this Y? (like in XY problem). If the drive may be formatted or the executable may be renamed (and it's OK to run it then), then what's the point?
– Kamil Maciorowski
Nov 20 at 8:42












@KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
– iBug
Nov 20 at 8:49






@KamilMaciorowski The actual case is that I'm going to perform some testing, and I repeatedly reset the testing area. For some other reasons, the path is fixed. I need the path to be blocked, but I'm in no need of blocking any specific program (files).
– iBug
Nov 20 at 8:49












1 Answer
1






active

oldest

votes

















up vote
0
down vote













You will need to write your own anti-exec program.



There are various articles to be found on hooking process creation in the kernel,
but they all require installing a driver, which is not very portable and will
encounter driver signature problems on later Windows versions.



The simplest solution would be to write a small DLL to be injected into all
processes, which will, in the context of the process, get its path and
terminate it immediately if coming from this path.



Injecting the DLL is done using regedit and navigating to
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



See the Microsoft article
Working with the AppInit_DLLs registry value.



A skeleton for such a DLL may look like:



BOOL

WINAPI

DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {

  TCHAR acModule[MAX_PATH];

  switch (dwReason) {

    case DLL_PROCESS_ATTACH:

      GetModuleFileName(NULL,acModule,MAX_PATH);

      to_be_written(acModule);

      break;

    default:

      break;

  }

  return TRUE;

}





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376891%2fblock-any-program-at-specific-paths-from-being-started%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    You will need to write your own anti-exec program.



    There are various articles to be found on hooking process creation in the kernel,
    but they all require installing a driver, which is not very portable and will
    encounter driver signature problems on later Windows versions.



    The simplest solution would be to write a small DLL to be injected into all
    processes, which will, in the context of the process, get its path and
    terminate it immediately if coming from this path.



    Injecting the DLL is done using regedit and navigating to
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
    On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



    See the Microsoft article
    Working with the AppInit_DLLs registry value.



    A skeleton for such a DLL may look like:



    BOOL
    
WINAPI
    
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
    
  TCHAR acModule[MAX_PATH];
    
  switch (dwReason) {
    
    case DLL_PROCESS_ATTACH:
    
      GetModuleFileName(NULL,acModule,MAX_PATH);
    
      to_be_written(acModule);
    
      break;
    
    default:
    
      break;
    
  }
    
  return TRUE;
    
}





    share|improve this answer



























      up vote
      0
      down vote













      You will need to write your own anti-exec program.



      There are various articles to be found on hooking process creation in the kernel,
      but they all require installing a driver, which is not very portable and will
      encounter driver signature problems on later Windows versions.



      The simplest solution would be to write a small DLL to be injected into all
      processes, which will, in the context of the process, get its path and
      terminate it immediately if coming from this path.



      Injecting the DLL is done using regedit and navigating to
      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
      On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



      See the Microsoft article
      Working with the AppInit_DLLs registry value.



      A skeleton for such a DLL may look like:



      BOOL
      
WINAPI
      
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
      
  TCHAR acModule[MAX_PATH];
      
  switch (dwReason) {
      
    case DLL_PROCESS_ATTACH:
      
      GetModuleFileName(NULL,acModule,MAX_PATH);
      
      to_be_written(acModule);
      
      break;
      
    default:
      
      break;
      
  }
      
  return TRUE;
      
}





      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote









        You will need to write your own anti-exec program.



        There are various articles to be found on hooking process creation in the kernel,
        but they all require installing a driver, which is not very portable and will
        encounter driver signature problems on later Windows versions.



        The simplest solution would be to write a small DLL to be injected into all
        processes, which will, in the context of the process, get its path and
        terminate it immediately if coming from this path.



        Injecting the DLL is done using regedit and navigating to
        HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
        On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



        See the Microsoft article
        Working with the AppInit_DLLs registry value.



        A skeleton for such a DLL may look like:



        BOOL
        
WINAPI
        
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
        
  TCHAR acModule[MAX_PATH];
        
  switch (dwReason) {
        
    case DLL_PROCESS_ATTACH:
        
      GetModuleFileName(NULL,acModule,MAX_PATH);
        
      to_be_written(acModule);
        
      break;
        
    default:
        
      break;
        
  }
        
  return TRUE;
        
}





        share|improve this answer














        You will need to write your own anti-exec program.



        There are various articles to be found on hooking process creation in the kernel,
        but they all require installing a driver, which is not very portable and will
        encounter driver signature problems on later Windows versions.



        The simplest solution would be to write a small DLL to be injected into all
        processes, which will, in the context of the process, get its path and
        terminate it immediately if coming from this path.



        Injecting the DLL is done using regedit and navigating to
        HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs.
        On later versions of Windows, AppInit_DLLs is disabled when Secure Boot is enabled.



        See the Microsoft article
        Working with the AppInit_DLLs registry value.



        A skeleton for such a DLL may look like:



        BOOL
        
WINAPI
        
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
        
  TCHAR acModule[MAX_PATH];
        
  switch (dwReason) {
        
    case DLL_PROCESS_ATTACH:
        
      GetModuleFileName(NULL,acModule,MAX_PATH);
        
      to_be_written(acModule);
        
      break;
        
    default:
        
      break;
        
  }
        
  return TRUE;
        
}






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 20 at 20:18

























        answered Nov 20 at 14:10









        harrymc

        248k10257546




        248k10257546






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376891%2fblock-any-program-at-specific-paths-from-being-started%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

            Image
            0 I recently upgraded an Ubuntu 16.04 virtual machine to 18.04. I regularly use this VM to run apt-mirror at school on their high-speed internet, then rsync these files to my rack-mount server at home for updating multiple computers at home without wasting the tiny amount of bandwidth I have there. Since updating I can't get apt-mirror to run on my VM. It keeps giving the error: flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror line 214 immediately followed by: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 217 apt-mirror is NOT running, and does not have a cron job. I've tried rebooting, and even looked for the old-style lockfile to delete, but I guess that method is no longer used. Is there some way to force unlock this so I can run apt-mirror? UPDATE: So... I f...
            Read more

            Mangá

            Image
              Nota:  Não confundir com Manga. Mangás e Animes Mangá Mangaká • Tankōbon Film comic La nouvelle manga Mangá original em inglês Anime História Animação influenciada por animes • Filler • OVA • Seiyū Públicos Kodomo • Shōjo • Shōnen Josei • Seinen Gêneros Mahō shōjo • Mecha • Harém Ecchi • Hentai ( Yaoi • Yuri Futanari • Shotacon • Lolicon Toddlercon ) Termos Bishōjo • Chibi • Fan service Gaiden • Kawaii • Kaitō • Light novel Mahō shōnen • Moe (antropomorfismo • Kemonomimi Nekomimi ) • Super deformed Omake • Tsundere • Yonkoma Listas Mangás • Animes • Ecchi • Mangaka • Estúdios • Revistas Fãs ( otaku ) Anime Music Video Convenções • Cosplay Dōjinshi • Fansub • Fandub • Fujoshi OS-tan • Scanlation Portal de Anime e mangá v d e O mangá (português brasileiro) ou manga (português europeu) [ 1 ] (em japonês: 漫画 , manga ? , lit. “história em quadrinhos”) , é a ...
            Read more

            Eduardo VII do Reino Unido

            Image
            Eduardo VII Rei do Reino Unido da Grã-Bretanha e Irlanda e dos Domínios Britânicos de Além-mar Imperador da Índia Rei do Reino Unido e Imperador da Índia Reinado 22 de janeiro de 1901 a 6 de maio de 1910 Coroação 9 de agosto de 1902 Delhi Durbar 1 de janeiro de 1903 Predecessora Vitória Sucessor Jorge V   Esposa Alexandra da Dinamarca Descendência Alberto Vitor, Duque de Clarence e Avondale Jorge V do Reino Unido Luísa, Princesa Real Vitória de Gales Maud de Gales Alexandre João de Gales Casa Saxe-Coburgo-Gota Nome completo Alberto Eduardo Nascimento 9 de novembro de 1841   Palácio de Buckingham, Londres, Reino Unido Morte 6 de maio de 1910 (68 anos)   Palácio de Buckingham, Londres, Reino Unido Enterro Capela de São Jorge, Windsor, Berkshire, Reino Unido 20 de maio de 1910 Pai Alberto de Saxe-Coburgo-Gota Mãe Vitória do Reino Unido Assinatura ...
            Read more