有没有办法识别Windows命令提示符，无论文件名或位置？ [英] Is there a way to identify the Windows command prompt regardless of file name or location?

问题描述

我正在编写一个程序，当用户运行命令提示符（如果可能的话，regedit）立即跟踪和杀死。这是为了阻止用户运行命令，我宁愿他们没有。

I'm writing a program to immediately track and kill when a user runs command prompt (and regedit if that's possible). This is to stop users from running commands I would rather they not have.

我已经写了一个代码，看到一个进程启动时，并使用QueryFullProcessImageName检查其名称。问题是，如果有人重命名命令提示符，然后我不能再通过进程名检测它。我检测命令提示符的方式是当前\cmd.exe，但显然这不是很安全。

I've already written code that sees when a process is launched and checks its name using QueryFullProcessImageName. The issue is that if someone were to rename command prompt then I could no longer detect it via process name. The way I detect command prompt is currently "\cmd.exe" but clearly this is not very secure.

下面是我为代码。我删除所有错误检查为简洁。如果您需要更清楚，请告诉我。谢谢！

Posted below is what I have for the code. I removed all error checking for brevity. Please let me know if you need more clarity. Thanks!

TCHAR exeName[MAX_PATH];
DWORD exeNameSize = MAX_PATH;

//the pid comes into the function as a parameter
HANDLE handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid);

if (handle) 
{
    if (QueryFullProcessImageName(handle, 0, exeName, &exeNameSize))
    {
        tstring name = exeName;

        /*
          badProcs would contain the path identifiers such as
          "\\cmd.exe" or "\\regedit.exe".  This detection is
          what I want to make better.
        */

        for(int i=0; i < badProcs.size(); i++)
        {
            if(tstring::npos != name.find(badProcs.at(i)))
            {
                if(TerminateProcess(handle,0))
                    OutputDebugString(_T("Process should be dead\n\n"));
            }
        }
    }
    CloseHandle(handle);
}

一些附加信息：我写这个的原因是控制什么在其他桌面上。我想要这样，当用户启动不同的桌面（通过任何专有程序），我可以控制是否他们有权访问给系统最大的安全漏洞的项目。由于我只想控制其他桌面上的操作，我不想更改设置，以免损坏目标桌面以外的数据。是不是担心腐败？

Some additional information: The reason I'm writing this is to control what goes on in other desktops. I want to make it so that when a user launches a different desktop (via whatever proprietary program) I can control whether or not they have access to items which present the biggest security holes to the system. Given that I only want to control actions does on the other desktop, I do not want to change settings for fear of corrupting data outside of the target desktop. Is corruption not something to worry about?

我只想控制一个专有桌面，而不是用户在自己的空间做什么。

I'm only interested in controlling a proprietary desktop, not mucking with what users do in their own space. Essentially the separate desktop is for corporate work, and I want to be able to limit what people can do with company information, etc.

推荐答案

如果您是管理员，而用户不是，策略工作;如果用户也是一个管理员，他们将能够很容易地打败你的程序。

If you're admin and the "user" is not, policy (or simple ACL) will do the job; if the "user" is also an admin, they'll be able to defeat your program fairly easily.

这篇关于有没有办法识别Windows命令提示符，无论文件名或位置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！