Well, in this case it's neither secure nor is it the right approach. Sorry to say

Well, write a driver. If you can live with the prerequisites of Windows XP SP2 or Windows 2000 SP4+SRP+FltMgr and higher, you can easily use one of the mini-filter samples from the WDK. Mini-filters are rather easy to implement, compared with classic FSFDs.

Well, there is usually something like a failure action. But again, "self-restarting" and "invincible" processes suck!

Nope.

This should be Vista or higher, though?! The old approach was pretty unsecure and relied on particular means being used to execute a program. If a more subtle method was used one could circumvent the restriction. Done so myself as admin.

But otherwise I can recommend TrustNoExe, though it may not work on x64 or Vista and higher (due to signing policies).

Small note concerning TrustNoExe: the guy used a SSDT hook to see when images get loaded. Whenever something that was not allowed was about to be loaded, he'd exchange the section (aka MMF) handle with one of his own usermode executable. This way his executable could retrieve its "own" location (actually the one of the attempted execution) and display a nice message to the user. Simple but effective.

I just know that in Windows XP there was something like that. Tried it only once and i thought it works. I never had the idea to circumvent the blocking-policy.

Bernhard

I know I know: I'm paranoid. But just because you're not paranoid doesn't mean they aren't after you

As an admin I considered it my duty to make the machines luser-proof. However, for XP MS offered (until recently, I think it was withdrawn) something like a kiosk mode. I.e. you could lock down an XP quite thoroughly. Would have to ask in the forum whether someone still has a copy around. I don't even recall the name of the tool, but it got "advertised" on heise.de.

Don't we all are a bit paranoid? - If you want security you have to test it, not just think it will work.

Do you think of the "Shared Computer Toolkit"? - I have got a copy.

Bernhard

That could well be it (new name seems to be SteadyState). I don't need it, but the OP might appreciate to get his hands on a copy. Let's see when he returns to this topic

Hi,

do you mean this one:
http://www.microsoft.com/presspass/n...ToolkitFS.mspx

Bye,
Frederic

Yes, meant this one.

Bernhard

Policy from that place. I can't say any reason about this because I just make the program. I am not the boss :p

I guess by writing service, my problem easier to solve. Thanks for the mini-filter.

Ehmmm... no thanks , I can't use product from other.

That's the answers!

I am still trying to block End Task, if I found the way, I'll post to this board

Then search for all ways how to terminate a process and block them. The easiest way to do so is to block OpenProcess for all matters (and to handle OnCloseQuery). To let Windows shutdown, Windows is issuing a broadcast message on WM_ENDSESSION. After this message (and the check, that this message came from Windows and not from anybody else issuing WM_ENDSESSION to your window) your program needs to be terminatable.

Bernhard

ADD: Which implies: If someone hooks GetSystemMetrics, and tells your program after issuing the WM_ENDSESSION-Message to your window, your process becomes terminateable even if Windows does not really shut down.

A mini-filter is going to make it even harder than some UM hooks, but if the users have admin privileges, nothing will keep them from circumventing any of those measures, given they have the necessary know-how.