IDEA: Process monitor and restriction

[jsmallberry]

In the same vein as Zone Alarm and other personal firewalls and MS Anti-Spyware, there has been a crop of applications come out lately that monitor the startups, in real time, and notify the user when something is added to the many places at which an application could run at startup.  The user can allow or disallow the change.

I would like to see an application that would do this for any executable.  When any executable is attempting to run, this program can stop it (if this is possible) and alert the user.  The user allows the app to run or blocks it, either permanently or just at that one time.  As for apps that you permanently set to allow to run, you can use something like MD5 (and of course, date/time/size) to check each time to see if it is truly the same executable.  This seems to me would be the best virus/spyware protection, along with startup monitor, BHO monitor, etc.

I know that you could write an "exe wrapper", by editing the registry at HCR\exefile\shell\open\command and putting something like  "C:\ExeWrapper.exe" "%1" %*.  This would "intercept the exe" so the exe wrapper can shell the exe or not.  But that doesn't seem like a good way to do it.  Seems like viruses could disable that.  I would think some kind of system hook would be better, but I don't know if that exists.  One thing that wouldn't work though, is a timer.  Malicious code could be run in before the next timer tick.

To be an all in one solution, this idea could be expanded to include other "code that is executed", such as services, BHOs, etc.  And then also include the startups.

The Coding Snacks is a great idea, I hope it is very successful!

[db90h]

Hi,

I believe DiamondCS creates a tool called 'Process Guard' that has some of the features you desire.

To create such a utility correctly, a device driver needs to be written to intercept new processes. I'm sorry, but this snack is too big for the 5 hour window allotted .

Thanks for the suggestion.

-Jeremy
Bitsum Technologies
http://www.bitsum.com

[jsmallberry]

Yeah, I've used the DiamondCS app before.  It uses a timer to get the process list.  I can't stand to use timers for apps like this in my programs.  I prefer to have 'callback' type functionality, when possible.  That way, there is no CPU time used until it is needed.  But the DiamondCS app is a step in the right direction.  I don't remember why I stopped using it, but there was a reason.

I guess it may take some time to write.  But I thought that if someone already knew that there was a 'hook' type mechanism, it wouldn't take too long to write.

[jsmallberry]

Alright, I'm mistaken.  I looked at the DiamondCS app again.  Apparently there is a new version (new to me that is).  It does the things I was suggesting, and it uses a kernel driver to do it.  I guess I used an earlier version. Therefore, I hereby withdraw my idea suggestion and apologize to DiamondCS for mischaracterizing their software.

[bob]

This goes a long way toward what you want... You can set it to show you when a process starts or stops... Plus a whole lot of other stuff.


INFORMER.......... Informer gives to you information about: current systen activity - CPU usage, number of running processes and threads, available memory, a full list of running processes with detailed information about each process, and fully qualified information about your computer system. Informer has no window. This is a text string dynamically showing information about current system load. You can place it at the desired location on screen, change font and color. Unlike many others system monitors Informer takes very little screen space.....(free).....<A href="http://informer.russ...ebmatrixhosting.net/">GO THERE!</A>