Thursday, February 19, 2009

Catch that process

I have an interesting piece of work on the go for a client at the moment which is posing a number of tricky questions.

The client has asked for software to control a web browser on a locked down, Windows based, kiosk PC.  There's nothing special about the PC or the Windows installation, but the browser has to be tightly controlled - way beyond the Internet Explorer Kiosk Mode.

The latest question was how to detect and terminate unauthorised, and unexpected, processes from starting.  For example, despite all the other controls in place what would happen if the kiosk user managed to start Excel?

After much Googling and research I coded a solution based around the Windows Management Instrumentation (WMI)

Once everything is initialised (connecting to the namespace, setting security and building the event sink), using WMI is something that would be familiar to any relational database developer since you set up a query on the data using an RDB type query language - WQL.

In this instance the query was:

SELECT * FROM _InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'

I'd set up an event sink for the WMI query, based on the IWbemObjectSink interface, so whenever any new process started my event sink was notified and I could take appropriate action.

The action in this case was to compare the process details with a list of processes which were allowed and if it wasn't on the list WMI was instructed to terminate it.

Identifying the process by executable name wasn't always easy since the executable name wasn't always available - but a quick (very quick, since Microsoft recommends returning from the WMI notification within 100ms) check of the process snapshot data, using CreateToolhelp32Snapshot, proved to be a good backup.

As I said, an interesting piece of work for me!