Prevent process from starting?

[notsure]

Hello,

I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it.

Thanks in advance,

notsure

[CrewXp]

Im not sure about 'preventing' an application from starting, an expert would have to give a reply here.

But you can of course ProcessClose() an existing process if it finds the name running..

And... you using the terms 'Shell/Kernel messages'.. can you elaborate on that? What kind of messages are you wanting to intercept?

[monoceres]

Hello,

I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it.

Thanks in advance,

notsure

To make that hook reliable (and thus safe to use as a os-firewall) you will have to make the hook in kernel mode.

However this is not possible in autoit, it will require that you write a kernel driver that talks to the kernel directly. Here's an article on the subject:

http://www.codeproject.com/KB/system/sovie...ct_hooking.aspx

You can however make something that hooks all active processes on a per-process basis (this will not be safe because there are processes that are of have higher privileges than your process and that means you cannot hook them which gives them the ability to start more un-hookable processes), to do this you can use wraithdu's work here and then hook ntCreateProcess and zwCreateProcess.

None of this is easy though so if you're not knowing what you're doing you will almost definitely fail.