I'm in a bit of a pinch here and I'd like to get a list of processes running on a machine that associate with windows itself, or are required to be running all the time like a background process or antivirus.
I'm making this program to keep my skills up to scratch, so it will likely never be released on a large scale.
Basically, I'm making an app that scans the computer for programs and only allows those on the whitelist to run. I need to automatically have all windows processes, and those in the startup folder added to this list.
Programs that are not on the list are terminated after a 30 second warning.
I've already gone through several posts on stack, and a google search yielded minimal results.
Is there a way I can differentiate process as a windows process by scanning some metadata or getting the original file path of that process and scanning the file?
PS:
Is there a way to scan all installed programs like in control panel and list them?
Okay. I did it. Finally.
Thanks to all that helped.
I ended up taking a snapshot of all running processes at the time before the timer is enabled and new processes not on the list are blocked. Processes that cannot be closed are likely viruses, or system components. I've never seen an app or a game block process killing before, and parents must ensure task manager is closed before running the timer.
CausticLasagne.
Related
Let me layout the scenario.
We have a 3rd party application (say, app.exe installed to C:\App). It actually cannot run directly, it needs a configuration file passed to it as an argument: "C:\App\app.exe config.ini". Everyone already has shortcuts that contain the necessary arguments.
This application supports plugins, of which we have developed a few. In order to distribute said plugins, they need to be copied to each users C:\App\Plugin\ folder, so when a change is made I have to travel around to everyone's desk and make sure the update gets applied.
This was cumbersome, so I developed an application that will scan a network folder and compare it to it's internal db of files. If there are any changes, it copies the files over to the proper destination folder.
This wasn't seamless though, as the user would have to make sure app.exe was closed - run my updater, and then rerun app.exe. So I renamed the original app.exe to app_launcher.exe, and my updater to app.exe. I modified my updater application to support arguments and pass them through to app_launcher.exe when the update was done. Once app_launcher.exe has started the updater program closes.
I should note - the above actually works.
The problem comes from users who have the app shortcut pinned to the taskbar. Once the real app finally starts it gets it's own new icon on the taskbar instead of being grouped with the original shortcut. This actually makes sense as they are technically two different applications. The users however, don't like this.
I have done some research on this, and found some 3rd party programs that can allow you to group multiple programs (Bins/Fences). I DO NOT WANT THIS.
More research revealed something called the AppUserModelID, which intrigued me. After some playing around, I got my updater to set it's own AppUserModelID. The original app.exe didn't set it's AppUserModelID (found that out via ProcessHacker), but I was able to get the updater to start it with the same ID it was using via the CreateProcess method found in kernel32.dll.
This did NOT work. The updater started under it's own pinned icon, and the original app started a new icon. I tweaked the updater to stay open until the original app was closed to see if that made a difference. This time it started under it's own pinned icon, the original app started it's own, and then the updater window switched to be grouped with the original app under the new icon. So AppUserModelID did group them together, but not how I wanted.
I am using C# for the updater application, and cannot make changes to (or have changes made to) the original app.
How can I get these applications to group under the pinned shortcut? Is it even possible?
I think I may have found a solution, though it's a bit of a hack.
The problem comes from having the final application not matching the shortcut being run.
So rather than replacing the EXE and running the real one when done, I made sure the updater application would always run before the real exe.
The only caveat is that it also runs for EVERY exe on the system (via HKCR\exefile). The first parameter is now the path to the true executable, which if it matches the application it runs the updater. Once the updater finishes or if it is any other app, it runs it.
Not an ideal solution (as it could be detected as malware), but it should work for us.
I have a windows application that reads from a database and populates multiple Listview containers depending on what items the user selects. Some of the data in a particular Listview is right-clickable with a MenuItem option to ‘Write Data to Excel’. This may take around 10 minutes to complete.
I have the Excel Interop portion written in stand-alone code or can I incorporate it into the application project. The Excel Interop app takes only 1 parameter to do its thing.
My question is… should I incorporate it into the Windows App and use multithreading or run it as a standalone app (which seems more efficient), which is called from the Windows App? And what is a good way of doing that where the Windows app starts the process and then can forget about it.
I think that the answer for this one is answered by the question : "What should happen if the user closes the main application during those 10 minutes ?"
If the file should still be wrote, then a standalone application is perfect, cause your threads won't survive.
If the file creation should be interrupted, then I see no reason not to use multithreading, as it seems simpler by default, in particular debugging this part of the code is way easier if it's in the same application.
I would recommend for the below flow:
We can create our own queue which will be either maintained in database or file system.
Then we can write a scheduler which will fetch all the unprocessed request and with the respect to response mark appropriate status of queued item.
Now You application can just call the queuing process and move forward from there.
Use another thread to write it.
This question may be some times funny for all. Created an application in c# but my problem is in implementing that, the application should not be stopped in any case with out system restart. How can i do this? I heard about circular reference what is it and how can i apply it in my windows application
if it can be done using windows service then service can also be stopped from task manager but i don't want my application to stop
you can not do this, since the application can be closed using Task Manger. So the only way is to create two processes first represent your app second to check if your app is closed run it again.
You could create a service, as suggested in one comment. This will prevent people without administrative controls from stopping it. If people do have administrative control, they will be able to stop your program quite easily.
I checked for tricks kids use to go around Net Nanny. The most common trick is to install a virtual machine and use that for accessing the network. Users who aren't administrators can't install Virtual Box or the like, so the service solution will work against these, as well.
I've never seen this issue before, and I'm not even sure if I'm posting in the correct place.
My Co-worker wrote a C# program (windows), that includes a web control. In that web control are a bunch of iFrames. Now, when the web control is populated (max 15 records), everything is fine. 99% system idle process. But once you minimize the program, boom, 99% process goes to the c# program and stays there!
If the web control is not populated. There is no issue with minimizing and maximizing the program.
There are no functions that run when the program is minimized or maximized, so there's nothing to debug...
The program is crashing on two computers, but on the rest (about 8 computers) it runs fine.
The two computers that "crash", are not very similar... so it's proving hard to find what may be causing the issue. One computer is xp, the other is windows 7, one is ie7, the other is ie8.
If anyone could point me in the right direction, or if anyone had a similar situation and has a solution, I'm all ear's and eye's!
I would attach Visual Studio to the "99% CPU" process, break all, and see what's going on in there. That's first step.
Doesn't Windows write inactive (i.e. minimised) application state to disk, to free up resources for active (non-minimised) windows?
One of the hooks / events called when you minimise the application could be causing IO hangs. You should get a diagnostics tool like Sysinternals Procmon to see if IO (or any other process) is hanging based on the minimise event.
Good luck!
Chris.
So my co-worker didn't find the thorough answer as to why it was crashing, but it was crashing due to the .net Web control. He swapped out the control for a VB6 control and it now works.
Okay I've spent the afternoon researching and haven't had much luck finding the answer to this. I am trying to prevent an application from launching via some sort of dll or background application. It is to be used in monitoring application usage and licenses at my institution. I have found leads here regarding WqlEventQuery and also FileSystemWatcher. Neither of these solutions appear to work for me because:
With WqlEventQuery I was only able to handle an event after the process was created. Using notepad as a test, notepad was visible and accessible to me before my logic closed it. I attempted to Suspend/Resume the thread (I know this is unsafe but I was testing/playing) but this just hung the window until my logic finished.
With FileSystemWatcher I was not able to get any events from launching a .exe, only creating, renaming and deleting files.
The goal here is to not let the application launch at all unless my logic allows it to launch. Is this possible? The next best solution I came up with was forcing some type of modal dialog which does not allow the user to interact with anything, once the dialog is closed the application is killed. My concern here is killing the application nicely and handling applications with high overhead when they load such as Photoshop or something. This would also interfere with a feature I was hoping to have where the user could enter a queue until a license is available. Is this my best route? Any other suggestions?
Thanks
edit: To clarify this is not a virus or anything malicious. It's not about preventing access to a blacklist or allowing access through a whitelist. The idea is to check a database on a case by case basis for certain applications and see if there is a license available for use. If there is, let the app launch, if not display a dialog letting the user know. We also will use this for monitoring and keeping track if we have enough licenses to meet demand, etc. An example of one of these apps is SPSS which have very expensive licenses but a very limited pool of people using it.
Could you use
System.Diagnostics.Process.GetProcessesByName
in a loop to look for the process?
It might work if you don't use too aggressive a polling rate.
You are indeed close, take a look at the WMI Management Events. http://msdn.microsoft.com/en-us/library/ms186151%28VS.80%29.aspx
Sample code from Microsoft: http://msdn.microsoft.com/en-us/library/ms257355(VS.80).aspx
Subscribing to the appropriate event will provide your application with the appropriate information to perform what you described.
Not sure if this is a GOOD solution but you could do something like pass a key into main so that if the key is not present or valid the application shuts down. Then when you open the application in your code, just pass the key in. Someone would then have to know the key in order to start the application.
This is assuming you have access to the application in question's source code, which upon reading your question again, I'm not so sure of.
I assume you don't have source for the application you want to prevent from loading...
Have you considered using a system policy? That would be the best-supported way to prevent a user from launching a program.
You could have a service running that force-kills any app that isn't "whitelisted", but I can't say how well that would work.
I wonder if you are taking the wrong approach. Back in the day there was a Mac app that would prevent access to the desktop and had buttons to launch a set list of applications.
IDEA
What if you had a wrapper for the approved apps then only allow your wrapper to run on the computer?
I would expect there is some way of hooking an application launch, but can't help directly on that front.
You may be able to improve your current approach by detecting the application's window opening and hiding it (move it offscreen) so that the user can't attempt to interact with it while you are trying to shut it down.
However, another approach that may be possible (depending on your circumstances) would be to write an application launcher. This simply is a replacement for the shortcut to the application that checks your licencing conditions, and then does a Process.Start to launch the real .exe at that point. This would work well for any application. (I used a system like this for starting up applications with specialised environment settings and it works beautifully)
You could combine this with your current approach as a fall-back for "clever" users who manage to circumvent your launcher.
If my understanding is right you want to create an application what will prevent the computer user to start any other process except ones for a white-list.
If this is the case, monitor the process list of processes (in a while loop) using System.Diagnostics.Process (the GetProcesses method gives the list of all running ones)
Just kill the process when it starts.
Or if your machines have Windows 7 (Windows 2008??) you can use AppLocker. http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#applocker Just let Windows prevent the startup.
You might want to look at this product: http://www.sassafras.com/licensing.html Personally I can't stand it, but that's because it does what you describe. Might save you some coding.
You could actually edit the registry so when you click a psd, your launcher gets called instead of photoshop. Your launcher then checks for licenses and if there is one starts photoshop with the path of the file.
This is a long shot but you may find it helpful.
Perceived Types and Application Registration
http://msdn.microsoft.com/en-us/library/cc144150(VS.85).aspx