Windows

How do I ... prevent users from running specific applications with Process Blocker?

If you administer any significant number of Windows-based machines, there might be applications you do not want your users to be able to run. Jack Wallen explains how Process Blocker can help administrators control application access.

If you administer any significant number of Microsoft Windows-based machines, there might be applications you do not want your users to be able to run. Keeping these users from running certain apps (such as P2P apps, games, etc.) can keep users productive, but more importantly, can help you avoid possible lawsuits your company doesn't need.

Making this task easier is most often the job of third-party software. And, although Process Blocker is still under development, it is already a very useful tool and will easily prevent your users from using applications they shouldn't. However, since it is a development version there are a few gotchas.

One of those is that there are still some scripts that can slip through the blocking process. The reason for this is that processes get blocked by Process Blocker right after they are started, instead of being blocked outright. Because of this, processes that start up instantly might get past the blocker.

With that caveat out of the way, let's take a look at how this tool can be used.

This blog post is also available in PDF format as a free TechRepublic download.

Getting and installing

Like all good Windows applications, Process Blocker is simple to install. Process Blocker will work with any Windows operating system greater than Windows 2000 (with the exception of Windows ME). Go to the Process Blocker download page and download the version for your architecture (32 or 64 bit). Once this file is downloaded (it is an .msi file), double-click it to start the installation procedure. You will not be asked anything out of the ordinary for a Windows application installation.

Upon completion of the installation there will be a new directory: Program Files\Process Blocker. Within this directory you will find four files:
  • list.txt: This is the configuration file.
  • Process Blocker: This is the application.
  • processblocker.chm: This is a compiled html help file.
  • Tray Informer: This is the applet that informs the user a process has been blocked.

Once the installation is finished, close the window and you're ready to start configuring.

Configuration

The configuration of Process Blocker is very easy. Open up the list.txt file and add entries, one entry per line, which you want to block. The easiest way to do this is to open Windows Explorer, navigate to the Program Files\Process Blocker directory, and double-click on list.txt.

NOTE: If you are using Windows Vista and have UAC turned on, it may be easier for you to move the list.txt file to your desktop, add your entries, and then move the file back to its proper place.

With the list.txt open in your default text editor, you will see the following contents:

ExampleFile.exe
AnotherOne.exe

As you can see, all you need to do is just start adding entries. Fortunately you do not have to enter the explicit path for each entry. But you do have to list the correct executable file name. Most of these (if not all of these) will have the .exe suffix at the end. Let's use the Safari Web browser as an example. In the list.txt file, add safari.exe to the end of the file. You can safely remove the two sample entries.

Once you have added your entry (or entries), save and close the file (move it back if you have opted to go that route with Windows Vista). Now you need to restart the Process Blocker service in order for the changes to take effect.

In order to restart the service, right-click on the Computer entry in the Start Menu (in Vista) and select Manage. This will open the Computer Management console. From there, click on the Services entry under Services and Applications. This will open all running processes in the main pane (Figure A).

Figure A

Depending upon how many processes you have running, you might have to scroll pretty far to find Process Blocker.

After you locate the Process Blocker entry, right-click the entry and select Restart. Process Blocker will quickly restart and you are ready to test.

Since we are trying to block Safari from opening, head over to the Start Menu and select the Safari entry. You will not see Safari start. Instead a warning will appear in the Notification area, indicating that Safari is blocked (Figure B).

Figure B

The red circle with the "-" symbol is the Process Blocker icon.

That's all there is to it.

Final thoughts

Of course, users who know what they are doing they can get around this system. A user could effectively stop the Process Blocker process from the Computer Management Console. Or, if they have the skills, they could locate the list.txt file and remove entries for the applications they want to run. But for most situations, this should be a cost-effective, easy-to-deploy solution for a problem that haunts many an IT staffer.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

11 comments
Gis Bun
Gis Bun

I can see problems with this program [from what I read here]. First, as mentioned, it blocks by the name of the EXE. What if you copy or rename the EXE? Second, there is no central management. So that list has to be copied over and then restarted. Third, probably also need a way to install on all computers. Forth, disabling the services is possible if the user has admin rights. Fifth, editing the text file list is possible unless you change permissions. I'm sure there are other issues as well.

MattewHill
MattewHill

New version of the Process Blocker with handy interface was released on May 18 - it is three weeks before the article has been published.

Ron_007
Ron_007

handy tool. I take it that this is the freeware equivalent of Win7 AppLocker. My problem is identifying the nasty ole program that is causing me grief. Something is running to setup other programs to act as servers to 123moviedownload.com. The site is associated with "questionable" servers, but no one says what the program name is. I've run the "usual suspects" in terms of antimalware but the culprit has not been spotted.

Mark W. Kaelin
Mark W. Kaelin

What tools do you use to prevent users from running unwanted applications? How effective are they?

Gis Bun
Gis Bun

Although it doesn't fix the problem, it is a temporary stopgap. Since you know that something is going to 123moviedownload.com, you can add it to the host file. Another alternative is use the route utility to block access if you know the IP. Have you tried Microsoft/Sysinternal's Autoruns?

goofchick
goofchick

When you change a users settings from administrator to standard, does this eliminate them being able to download anything they want to their machines? Are there any negative reasons why to NOT make them standard users? We are running Vista Business 32 bit.

Ron_007
Ron_007

Non-admin rights will not prevent them from downloading, just prevent them from installing apps. That includes limiting what kind of malware install itself, which is why going to user rights accounts is a very good thing. The only possible downside is that there are still a few (older) apps that are "poorly" written so they require administrative rights to run. There are work-arounds that allow them run with admin rights in a user level account. You can use the "run as" function, to run those apps with admin rights. So before changing your users from admin rights accounts to user rights accounts you want to test all of your apps to make sure you don't have any special problem apps.

Aakash Shah
Aakash Shah

I agree with Altiris_Grunt. Software Restriction Policies (SRP) are the best way to handle this. And, you can take either the "block all, allow some" or "allow all, block some". The former approach is the best approach since it covers new malware too. Here is an excellent and quick write up about implementing SRP rather than reading the longer MS TechNet information (this was written by an MS MVP): http://www.mechbgon.com/srp Also, since SRP is baked right into the system, you don't need to worry (as much) about updates causing problems with third party software. Also, SRP can't be disabled by stopping a service or process and there is no chance of slipping past SRP.

Editor's Picks