This article is great for me.
Thank you Ivo Ivanov.
I have problem and I think you can help me.
Your example detect execution of file and now I would like to prevent from installing (copying) from CD-ROM (or floppy) into my harddisk. I think I must use your ProcObsrv driver and I have to change something/somefunctions.
Please give me ideas how can I detect installing/copying instead of excution.
By the way please tell me where I can download DDK free. I wonder what files I need to build your ProcObsrv driver. It is neccessary to have ntddk.h only ?
i want to control running of a particular executeable. I.e, prevent it from starting depending on external conditions.
If i were to implement a program that utilises PsSetCreateProcessNotifyRoutine... would i have to terminate the program after it had started running? I dont think forcibly terminating a process after it has begun is a good idea.
I'm not being very clear about this... I'll try again..
Does the function :
1)get called before the executable is invoked? if so, then i could ( i suppose) stop it from running..
2)is the executeable invoked and then the psSetNoti.. fn() is called ?
1) would be good, but 2) would not as i would have to terminate the process mid-load.
If anyone could give an answer or some pointers, i'd appreciate it.
Anyone know why no process is started when you launch Explorer (by right-clicking Start and choosing Explore)? The same is seen from TaskManager (although you do see it under the Applications tab). I'm only really interested in the Applications information - could I get this without monitoring the Processes?