The Ultimate Anti-Malware Tool? Maybe.
Written by Gordon Fecyk, 3/27/2005
[18 JUL 2014] This is an old how-to and script I wrote in 2005 while Pro editions of Windows were rare to find on home desktops. With the Windows 8 Pro Pack commonly available these days, consider purchasing that and use Software Restriction Policies instead, which is a built-in whitelisting tool.
I RANT ROUTINELY about how to prevent computing problems before they happen. Recently, I even started ranting about why you should prevent computing problems before they happen.
The how usually contains several pages of, "do this, then do that, then go to Safe Mode and do this..." blah, blah, blah. No wonder people can't prevent this stuff before the fact - it's all in gibberish.
So, I took a moment and converted my ranting into a "simple batch file."
"LOCKDOWN" IS A HACK I PUT TOGETHER to automate the advice I routinely hand out, effectively Safe Computing in an easy-to-use package. It's a batch file written for Windows 2000 and Windows XP, and it does the following things:
- Installs a program written by Microsoft's David Burrell. xcacls.vbs lets you change a file or folder's security settings in a command line, or a batch file. I edited the program a little to suit my needs.
- Changes the security settings of several key folders. These settings stop limited user accounts from running programs (.exe, .com, and so on) that are not installed in the "Program Files" or "Windows" folders.
- Adds a startup script for new users. When a new user logs on to the computer, this script changes their user profile so they can't run programs from there, either. A user profile includes the Desktop, "My Documents" and other folders belonging to the user.
The end result is, limited users can only run programs that an Administrator installed. Other programs won't run, generating an "Access is Denied" pop-up. While limited users are, well, limited in what they can do to the computer, this little hack doesn't even give unwanted programs a chance to try anything.
- Windows 2000 computers will need the Windows 2000 Support Tools installed first. This hack uses the support tool "reg.exe." Windows XP includes this tool already.
- Lockdown is for stand-alone Windows 2000 and Windows XP only! XP Home Edition will work as well as XP Professional. Computers in a domain should instead use Group Policy and logon scripts to change these settings.
- The disk drive with your installation of Windows must use NTFS. If you aren't sure if your computer uses NTFS, open a command prompt and type "convert c: /fs:ntfs" and see if it offers to convert the drive for you.
- This tool uses some powerful magic to prevent unwanted programs. Administrators won't be affected, but limited users might not be able to run some older programs after you run this. Stick with programs Designed for Windows XP or Windows 2000 to avoid problems.
- The changes this tool makes are worthless with Administrator accounts! To take advantage of them, use your computer with a new Limited User account after you run this tool.
- This tool was not extensively tested. I know it works, but that's it. You use it at your own risk.
Powerful warnings? I hope so, because this is powerful stuff. Like I say every time I spout off my advice, you need to choose to take that step of giving up old and badly designed products to prevent computing problems before they can happen. If you can take that step, then you can take this tool.
That being said, I'm interested in fleshing this hack out into a full-fledged product, including an undo feature, allowing exceptions for programs of your choice, even security templates for otherwise badly designed programs so they can work with safe computing.
Recently Edited Categories:
Browse All Categories
Browse All Commentaries