-6

How can i block all executables in a machine unless i verify it. I have multiple clients and i want to do it as programatically (I am using Visual-Studio-2010). It can be done through registry using DisallowRun but if i change the name of exe to notepad1.exe ,registry thing will not work. I want to get control of all the exe's present ,like the way antivirus has.

jain
  • 101
  • 1
  • 2
    use group policy to specify a [program whitelist](http://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/) – Andrew Domaszek Dec 02 '14 at 13:12
  • 1
    possible duplicate of [Blocking EXE from executing in XP Domain environment](http://serverfault.com/questions/396211/blocking-exe-from-executing-in-xp-domain-environment) – TheCleaner Dec 02 '14 at 13:53

1 Answers1

7

The correct setting Microsoft added for what you need is AppLocker by GPO.

You can add policy by filehash, filepublisher or path.

With the filehash, it's harder for an user to bypass it, unless he get another version, but you could block the publisher too.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • I want to write a code for that. – jain Dec 02 '14 at 14:50
  • 1
    It's easier by GPO, but you can use powershell. "Get-AppLockerFileInformation –Directory “\\SERVER\SHARE\FOLDER” -Recurse" will list all .exe with what policy it support in the target path. After we do a policy, "Get-AppLockerFileInformation -Directory \\SHARE\SERVER\FOLDER -Recurse | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix TEST -XML | Out-File .\TEST.XML" and after we apply it, "Set-AppLockerPolicy –XMLPolicy .\test.XML" – yagmoth555 Dec 02 '14 at 16:00