Simple File Monitor Software?

[Boombox]

.
.
Okay. The idea is simple:

A batch file runs constantly, monitoring newly executed programs.
If the installation directory of the newly run program = ("D:\Blocked") do (
End program)


I'm a little ashamed to say that I don't have any code yet
I can't think of a reasonable/cost effective way to do this...

Obviously, I could do with discarding startup/already running program.exe's from the (tasklist(?)) search,
Especially if one (a search) is to be performed every second or whathaveyou...
And Taskkill presumably... Unless there's a way to have the .exe paused, via batch, until the check is complete?

As always, thanks for any help.

P.S.

This will not to be used as a replacement for any sort of security software.
And so, I will not require advice on whether or not it will be effective in such scenarios.

[foxidrive]

What time period do you want the check to occur - every second? Every 5 seconds?

If you loop too quickly then it'll eat up CPU resources.

Code: Select all

@echo off
set exe="notepad.exe"
:loop
taskkill /f /im %exe% >nul 2>&1
ping -n 5 localhost >nul
goto :loop

[Boombox]

.

Code: Select all

@echo off
:top
timeout /t 5 /nobreak >nul
for /f "tokens=4 delims=\" %%g in ('wmic process get executablepath ^| findstr "calc.exe"') do (
taskkill /fi "imagename eq %%g")
goto top

Hi Foxi. I'm not sure how often this loop should take place...

I've used calc.exe in the example above, but it keeps placing a carriage return at the prompt. Help!

Thanks.

[abc0502]

Try this

Code: Select all

@Echo OFF

:: Set Blocked Pathes here
SET "Blocked1=D:\Blocked"
SET "Blocked2=D:\Blocked\test1"

:Loop
Setlocal EnableDelayedExpansion
Ping localhost -n 10 >nul

:: Adjust the tokens as needed to match the lenght of the longest Blocked location.
For /F "skip=1 tokens=1,2,3* delims=\" %%a in ('wmic process get ExecutablePath') Do (

   :: %%c here because there is 2 tokens in blocked1 so the 3rd will be the exe file name.   
   IF "%%a\%%b" EQU "%Blocked1%" (
      For /F "tokens=2" %%A in ('tasklist /nh /fi "imagename eq %%c" 2^>nul') Do taskkill /f /pid %%A >nul )
   
   :: %%d here because there is 3 tokens in blocked2 so the 4th will be the exe file name.   
   IF "%%a\%%b\%%c" EQU "%Blocked2%" (
      For /F "tokens=2" %%B in ('tasklist /nh /fi "imagename eq %%d" 2^>nul') Do taskkill /f /pid %%B >nul)

)
Endlocal
Goto :Loop

This can kill any process that runs from a certain location and can handle more than one location, just don't forget to adjust the tokens, and note that if the location for example D:\blocked, is 2 tokens "delims is \" the 3rd is assumed here to be the exe file so don't forget to consider the main folder of the program

[Boombox]

.
Thanks ABC,

What was causing my earlier Carriage Return?

Why ('tasklist /nh /fi "imagename eq %%c" 2^>nul')?

Is 'Ping' less CPU intensive, versus 'Timeout'?

Can I not do this with a single for loop using 'wmic process get ExecutablePath ^| findstr "D:\Blocked"' ?

And thanks again.

[foxidrive]

Do you want to stop only an exe that is launched in a certain path??

What if they install in a different location?

[abc0502]

@Boombox,
There is something i don't understand in the code you posted, you get the executable path then search for the calc.exe and if exist it kill it, you can just use the command taskkill and add >nul at the end whether it exist or not it will perform the command not need for the for/loop.

I will test the rest now and try to find the reason for the carriage return and the suggestion you said.

[Boombox]

.
Sorry, I was in a bit of a rush at the time (work) and didn't want to try killing everything from \system32...

This is what should have been posted.
------------------------------------------

Code: Select all

@echo off
:top
timeout /t 5
for /f "tokens=3 delims=\" %%g in ('wmic process get executablepath ^| findstr "D:\Blocked"') do (
taskkill /fi "imagename eq %%g")
goto top

Can this be expanded to include any new process/program, from any drive location?

Sorry Foxi, not entirely sure what I want from this code yet. Just trying to get it to work.

[abc0502]

>>I'm not sure but it must be the findstr command that cause the carriage return.
>> the 2^>nul to suppress any errors and not show them on screen.
>>i use windows xp so there is no command timeout but i think there is not big difference.
>> The only way to remove the extra line is using another for loop that filter the first result so it will look like this

Code: Select all

@echo off

for /f "tokens=3 delims=\" %%g in ('wmic process get executablepath ^|findstr "D:\Blocked"') do ( 
   for /f "tokens=1 delims= " %%a in ("%%g") do echo %%a
)
pause

[foxidrive]

Maybe this will work. wmic creates 0a0d0a line ends in hex and this is where the extra line comes from.

Code: Select all

@echo off
:top
for /f "tokens=3 delims=\" %%g in ('wmic process get executablepath ^| findstr "D:\Blocked"') do cmd /c taskkill /fi "imagename eq %%g"
timeout /t 5
goto :top

The 2^>nul with the carot is necessary in a for in do command tail.
You need to escape the > in that command.

[Boombox]

.
Thanks,

But maybe I got lost in the code or something...

I've used >nul before, and escaped with ^

It's the 2 that's throwing me...

I'm searching for the imagename = %%c 2? What does 2 do?

--
Sorry Foxi, the Carriage still remains in your example...

[abc0502]

the two is referring to the stderror, so if any error happen it redirect to nul and don't show errors but if not an error it will display it

I read it before in the stackoverflow this is the link it's discriped in the first answer by dbenham

[abc0502]

@Foxidrive, your code worked with me here in windows XP, and showed the success messsage

SUCCESS: The process with PID 2648 has been terminated.

It's a smart move to use the cmd to skip the second line

[Boombox]

.
Yes, you are cool ABC, but Foxi is my hero lol.

The code is fine Foxi

(I was executing an installer.exe in \Blocked, displaying a prompt to exit!) /F was required.
Thank you both.

[Boombox]

.
Finally guys...

I want to specify a directory of allowed .exe's (My USB)
Couple that with the currently running .exe's /windows stuff (Maybe even a 'Fresh Install Tasklist-List')
And ban all other .exe's

Is that do-able?

Thanks.