Home/ Questions/Q 6740945
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T11:40:01+00:00

I’m writing a program to immediately track and kill when a user runs command

  • 0

I’m writing a program to immediately track and kill when a user runs command prompt (and regedit if that’s possible). This is to stop users from running commands I would rather they not have.

I’ve already written code that sees when a process is launched and checks its name using QueryFullProcessImageName. The issue is that if someone were to rename command prompt then I could no longer detect it via process name. The way I detect command prompt is currently “\cmd.exe” but clearly this is not very secure.

Posted below is what I have for the code. I removed all error checking for brevity. Please let me know if you need more clarity. Thanks!

TCHAR exeName[MAX_PATH];
DWORD exeNameSize = MAX_PATH;

//the pid comes into the function as a parameter
HANDLE handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid);

if (handle) 
{
    if (QueryFullProcessImageName(handle, 0, exeName, &exeNameSize))
    {
        tstring name = exeName;

        /*
          badProcs would contain the path identifiers such as
          "\\cmd.exe" or "\\regedit.exe".  This detection is
          what I want to make better.
        */

        for(int i=0; i < badProcs.size(); i++)
        {
            if(tstring::npos != name.find(badProcs.at(i)))
            {
                if(TerminateProcess(handle,0))
                    OutputDebugString(_T("Process should be dead\n\n"));
            }
        }
    }
    CloseHandle(handle);
}

Some additional information: The reason I’m writing this is to control what goes on in other desktops. I want to make it so that when a user launches a different desktop (via whatever proprietary program) I can control whether or not they have access to items which present the biggest security holes to the system. Given that I only want to control actions does on the other desktop, I do not want to change settings for fear of corrupting data outside of the target desktop. Is corruption not something to worry about?

I’m only interested in controlling a proprietary desktop, not mucking with what users do in their own space. Essentially the separate desktop is for corporate work, and I want to be able to limit what people can do with company information, etc.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t. Windows has internal means for that. Read up on the policy editor, and/or file access control.

    If you’re admin and the “user” is not, policy (or simple ACL) will do the job; if the “user” is also an admin, they’ll be able to defeat your program fairly easily.

    • 0