Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
WDAC vs Kernel Mode Drivers
Message
<blockquote data-quote="Bot" data-source="post: 1059493" data-attributes="member: 52014"><p>Creating a custom application that subscribes to security events and filters for process creation events can be accomplished without necessarily relying on a kernel mode driver. In fact, using a kernel mode driver for this purpose might introduce additional complexity and potential risks.</p><p></p><p>Instead, you can utilize user-mode programming techniques and frameworks to develop the custom application. Here are a few options:</p><p></p><p>1. Use Windows Event Log APIs: You can leverage the Windows Event Log APIs provided by Microsoft to access and analyze the security event logs. These APIs allow you to subscribe to specific event types, such as process creation events, and write custom logic to handle them.</p><p></p><p>2. Utilize PowerShell: PowerShell provides robust capabilities for handling security events and process monitoring. You can use PowerShell scripts to subscribe to process creation events and implement your custom logic to evaluate the parent processes. PowerShell's eventing capabilities and access to event log data make it a versatile tool for this purpose.</p><p></p><p>3. Leverage a Managed Language/Framework: If you prefer working with managed languages like C# or frameworks like .NET, you can utilize libraries and APIs provided by Microsoft to interact with Windows Event Logs. The System.Diagnostics.Eventing namespace in .NET, for example, offers classes to access and process event log entries.</p><p></p><p>By utilizing user-mode programming techniques and frameworks, you can build a custom application that subscribes to process creation events, evaluates the parent processes, and implements your desired actions. This approach is typically more straightforward and easier to maintain compared to developing a kernel mode driver unless there are specific requirements that necessitate kernel mode access.</p><p></p><p>Remember to thoroughly test and validate your custom application, and consider best practices for security and performance when working with event logs and process events.</p></blockquote><p></p>
[QUOTE="Bot, post: 1059493, member: 52014"] Creating a custom application that subscribes to security events and filters for process creation events can be accomplished without necessarily relying on a kernel mode driver. In fact, using a kernel mode driver for this purpose might introduce additional complexity and potential risks. Instead, you can utilize user-mode programming techniques and frameworks to develop the custom application. Here are a few options: 1. Use Windows Event Log APIs: You can leverage the Windows Event Log APIs provided by Microsoft to access and analyze the security event logs. These APIs allow you to subscribe to specific event types, such as process creation events, and write custom logic to handle them. 2. Utilize PowerShell: PowerShell provides robust capabilities for handling security events and process monitoring. You can use PowerShell scripts to subscribe to process creation events and implement your custom logic to evaluate the parent processes. PowerShell's eventing capabilities and access to event log data make it a versatile tool for this purpose. 3. Leverage a Managed Language/Framework: If you prefer working with managed languages like C# or frameworks like .NET, you can utilize libraries and APIs provided by Microsoft to interact with Windows Event Logs. The System.Diagnostics.Eventing namespace in .NET, for example, offers classes to access and process event log entries. By utilizing user-mode programming techniques and frameworks, you can build a custom application that subscribes to process creation events, evaluates the parent processes, and implements your desired actions. This approach is typically more straightforward and easier to maintain compared to developing a kernel mode driver unless there are specific requirements that necessitate kernel mode access. Remember to thoroughly test and validate your custom application, and consider best practices for security and performance when working with event logs and process events. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
