Stopping an application based on its executable

Question

I'd like to rig a service to run that detects when an application is trying to start, and based on its executable (I'll probably just hash the file and keep a list of blocked app hashes to keep it simple), stop it from executing all together. Ideally I'd like to accomplish this using C#, but I'd be open to using other platforms if it makes more sense to do so.

I'd thought about hooking into some sort of "process started/starting" event, and using the process ID of the started process to determine the path of the executable (I know how to do the second part, once I have the process ID), and then sending some sort of kill signal if the app is on the blocked list. I'd started investigating this process a while back, but the response I got to this question suggests a flaw in that approach.

Is this, indeed, not a feasible way of solving this problem? Can someone suggest a better route to take?

Answer 1

See http://www.codeproject.com/KB/vista/api-hooks.aspx?msg=3327111 , http://www.codeproject.com/KB/threads/winspy.aspx and http://www.codeproject.com/KB/dotnet/objectspy.aspx

Answer 2

Windows does not provide a direct way to generate any kind of notification when a process is about to start. You can find out it got started, as shown in my post with the WMI code. Technically it is possible to inject a DLL into all running processes and detour the CreateProcess() API call. Short from this being potentially very destabilizing, it is also impossible to write code like that in C# language. You can't get the CLR initialized.

It isn't any kind of oversight that this kind of functionality isn't available. It would be a rather easily exploitable security hole.