[RESOLVED] Detect every attempt of executing any application

[Dungeon Keeper]

Hi,

I have decided to make a program that will monitor whole system on attempts of starting any application.

The user will be prompted that some application is going to start, and would be asked if that is ok? User decides should that app run, or not. The user must be prompted when there is an attempt to execute application, but application must not be executed until user says it is OK to execute it.

So, my question is, is there a way to monitor this, and how could it be done? Any ideas, APIs i should examine?

[LaVolpe]

I don't know whether these will prove to be false leads or not.

1. Easiest but less efficient. Use a timer and call EnumProcesses API. Compare listing with a previously cached listing to see which have been destroyed and which were created.
-- Reactive, not proactive. You won't know in advance that process started

2. Set a system wide hook using SetWindowsHookEx (not doable in VB without a separate DLL). A CBT hook can tell you when new windows are created and you can get the process information from the hWnd. Obviously only works with GUI applications. System hooks can slow down the system.
-- Proactive

3. See if you can find any examples of this API: PsSetCreateProcessNotifyRoutine
-- Proactive

Don't ask me for any advice or example usage though, I thought I just post a couple of ideas.

[Dungeon Keeper]

The first idea came across my mind too, but it wont show the process that is going to start, yeah

I will examine 2. and 3. but i think 3. is a function for drivers because it uses ntddk.h , that is Driver Development Kit include file.

Thanks for all the advices, I will try to dig up something.

[pcuser]

This can be done with ShellExecuteHooks. Here is an example: http://www.mvps.org/emorcillo/en/code/vb6/index.shtml

[DigiRev]

I don't know how this program does it (haven't looked at the code), but you can try it:

http://www.pscode.com/vb/scripts/Sho...59427&lngWId=1

I think there's also a place in the registry, where you can have a program launched every time a file with a certain extension (like .exe) is launched.

[Dungeon Keeper]

I don't know how this program does it (haven't looked at the code), but you can try it:

http://www.pscode.com/vb/scripts/Sho...59427&lngWId=1

I think there's also a place in the registry, where you can have a program launched every time a file with a certain extension (like .exe) is launched.

I took a look at that application. It seems that the program detects when new application is opened, and suspends it. I'm not sure what it does but my app window opened and freezed so i guess it allows app to start and freezes it. I must disallow app to start, only if user approves it. But thank you, that is a great piece of code.

The reg key you are talking about is:

Code:

HKEY_CLASSES_ROOT\exefile\shell\open\command

I'm not sure what this key does but i think it starts the application entered in the registry every time you start an exe and sends a path of that exe to to that app as parameter. This is very useful thing, thank you!

[Dungeon Keeper]

This can be done with ShellExecuteHooks. Here is an example: http://www.mvps.org/emorcillo/en/code/vb6/index.shtml

I cannot find ShellExecuteHooks on that link, I'll take a look on MSDN.
Edit: Or i wont :P

Thanks

[DigiRev]

The reg key you are talking about is:

Code:

HKEY_CLASSES_ROOT\exefile\shell\open\command

I'm not sure what this key does but i think it starts the application entered in the registry every time you start an exe and sends a path of that exe to to that app as parameter. This is very useful thing, thank you!

Yeah I think that's the one.

Another way besides a system-wide hook, is creating a DLL that gets injected into every process. This DLL would need to be made in C++ or another language that creates standard DLLs.

DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.

So, it would only work for applications that use User32.dll (almost all of them).

The DLL could ask your app for permission, sending along the process ID (GetCurrentProcess() API). I think you have a thread on how to communicate between 2 apps, so that would work between the DLL and your app also.

The DLL could go into a loop until it receives a response from your VB program (which would pause execution).

Just another thought, it would be pretty easy. If you wanna go this route, I could probably write an example.

[Dungeon Keeper]

Another way besides a system-wide hook, is creating a DLL that gets injected into every process.

Yeah, but that would just be a system wide hook for all open processes, and I need to capture the attempts of running an exe.

Just another thought, it would be pretty easy. If you wanna go this route, I could probably write an example.

Thanks for the offer but i think that isn't the thing Im looking for. What do you think?

I was trying to google for it but i couldn't find the answer:

How is an exe executed in windows, what component receives the request to execute it?

If a system wide hook is made, it could hook APIs that are used to start a program, or process so it could capture all the attempts of starting an exe from other processes, but what if a user starts an EXE with double click, or it gets started from registry.

[pcuser]

I cannot find ShellExecuteHooks on that link, I'll take a look on MSDN.

It's the "Shell Extensions" link. Here's a direct link to the download: http://www.mvps.org/emorcillo/download/vb6/shlext.msi

This will install 11 VB projects that can be accessed from the start menu at "Edanmo's VB Page\Shell Extensions". The one we're looking for is "Edanmo's VB Page\Shell Extensions\ShellExecute Hook" which is an ActiveX Dll vb project. Look at the "IShellExecuteHookA_Execute" and "IShellExecuteHookW_Execute" functions, these are called each time a process is about to be executed. From the comments in the code:

vb Code:

' The A (ANSI) version is used by Win9x/Me.
' The W (Unicode) version is used by WinNT/2K/XP

Step by Step:

1. Compile the project.

2. run "regsvr32 exechook.dll"

3. Open regedit and search for "exechook.dll". I found it at "HKEY_CLASSES_ROOT\CLSID\{E33EB92C-9A58-4524-8861-52E908D26E68}\InprocServer32\exechook.dll", this means the CLSID for exechook.dll is "{E33EB92C-9A58-4524-8861-52E908D26E68}"

4. Make a new string value at: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShelExecuteHooks" and name it: "{E33EB92C-9A58-4524-8861-52E908D26E68}" and give it a value of whatever you want, maybe "My Hook"

5. Start Notepad.exe then look for a file called "SHLEXEC.LOG" in your windows folder.

That's it, you now have a ShellExececuteHook and therefore not only have access to details about all processes about to be launched via the ShellExececute API but you can also block them from being executed.

To remove the hook, delete the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShelExecuteHooks\{E33EB92 C-9A58-4524-8861-52E908D26E68}" registry key and run:
"regsvr32 /u exechook.dll".

Keep in mind that this example will keep appending to a logfile in your windows folder as long as the hook exists so don't forget to remove it when you're done experimenting!

Here's more information: http://msdn.microsoft.com/en-us/libr...99(VS.85).aspx

[Dungeon Keeper]

Thanks a lot!