Skip to content

xyz2022/DesktopProcessMonitor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
SetupPsiBlock
SetupPsiBlock
 
 
WMProcMon
WMProcMon
 
 
windows-service
windows-service
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
workers.sln
workers.sln
 
 

Repository files navigation

Download Latest

https://github.com/xyz2022/DesktopProcessMonitor/releases/latest

DesktopProcessMonitor

Terminate policy-prohibited applications on corportate-owned devices. This application aims to block the use of specific apps on managed devices. Example: 3rd party VPN binaries like Psiphon 3 may be against the terms of use for users of managed devices, however the users might have been using the VPN regardless. In this case, the default behavior of DesktopProcessMonitor is to terminate Psiphon 3 when the user tries to open it. The default behavior can be modified to target any policy-prohibitied applications.

Why not Group Policy Editor?

Slowdown. For each process, gpedit blocks processes from starting-up until the certificate is located and read; impacting system performance, especially on older hardware. On the other hand, DesktopProcessMonitor is fast. It does not block processes while certifcates are located and read. It does however terminate new processes if their certificates are from any policy-prohibited publisher. This results in reduced impact to system performance.

image

Architecture

Project has 3 sub-projects:

  1. App.Windows.Service: C# Windows Service. Spawns WMProcMon for each logged in user. Re-runs WMProcMon if it is terminated by the user.
  2. WMProcMon: C++ background worker. Subscribes to the InstanceCreationEvent message via WMI. This event is a signal that a new process was created for or by the user. WMProcMon looksup the Authenticode certificate for the exe_file of each new process. If the publisher matches "Psiphon Inc", WMProcMon terminates the process. Note: this is a non-blocking operation, no processes on the OS will be prevented or delayed from starting-up. However the process will terminate within a few ms if its certificate publisher is a match to the target string.
  3. SetPsiBlock: The Visual Studio Setup project handling installation and uninstallation of App.Windows.Service and WMProcMon.

Security considerations

Resisting Priv-Esc tecniques:

  1. The file path to service executable is quoted.
  2. Service executable folder is read-only for unpriveliged users.
  3. WMProcMon executable folder is read-only for unpriveliged users.
  4. WMProcMon process is owned by the current logged-in user.

How-to Build

  1. Open workers.sln in Microsoft Visual Studio 2022 17.7.4 or higher
  2. Publish App.Windows.Service -> Local Folder (use default selected folder)-> Enabled Options: Self-contained, Produce Single File, EnableReadyToRunCompilation
  3. Rebuild WMProcMon
  4. Rebuild SetupPsiBlock
  5. SetupPsiBlock.msi will build in ./release/x64 directory

Install

Desktop Users install via MSI

Network administrators install & uninstall silently via script:

Install ->

msiexec.exe /i SetupPsiBlock.msi MSIFASTINSTALL=4 /qn /norestart

Uninstall ->

msiexec.exe /x SetupPsiBlock.msi MSIFASTINSTALL=4 /qn /norestart

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 5

v0.7.2 Latest
Nov 2, 2023
+ 4 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages