Minute Control - Possible?

Discussion in 'ProcessGuard' started by knowbodynow, Jul 26, 2005.

Thread Status:
Not open for further replies.
  1. knowbodynow

    knowbodynow Guest


    I have a flash memeory drive. Every time I put the card into the drive or take it out Processguard pops up a warning:

    Filename: rundll32.exe
    Description: Run a DLL as an App
    Folder c:\windows\system\32\

    Launched by: c:\windows\system32\svchost.exe
    Command Line: rundll32.exe shell32.dll,activate_rundll
    Company Name: Microsoft Corporation
    File Size: 32KB

    I think this is Windows trying to pop up an options window about the drive. My question is, if I tell Processguard to always block this action will it apply only to the flashcard or would it interfere with other operations? I don't want windows to do anything when I physically move the flashcard. I worry about telling Processguard to block the activity but having it pop up all the time is irritating.

    Does anyone have a solution I might like?


    Chris (Hunt)
  2. TheQuest

    TheQuest Registered Member

    Jun 9, 2003
    Kent. UK by the sea
    Hi, knowbodynow

    If you have PG block always it will stop any other process's from starting that need it, so it is not a good Idea to set at block always. [well bad realy]

    If you do a search of PG forum here for rundll32.exe you will 40 thread [and 22 under rundll32 most of those will be dups of the others]

    Take Care,
    TheQuest :cool:
  3. Knowbodynow

    Knowbodynow Guest

    Thanks - I guessed blocking it would be a bad idea, that's why I was wondering if there was a way to isolate one function of rundll32.exe. It would be great if processguard had more precision, though I've no idea how and if that could be possible.

  4. Infinity

    Infinity Registered Member

    May 31, 2004
    they are working on this feature I believe I read this somewhere .. parent -and child process control
  5. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    As far as I can recall this feature has been discussed and requested but no response has been given by DCS so we simply don't know if they plan to implement the idea in the future....

    If you want to be able to specify block or allow of processes using command line arguments or by specifying the parent process then PG is currently not a tool that can help you do that

    Other people have also expressed views that PG's execution protection could be better, but you can always just turn execution protection off in PG and use something else.

    Personal firewalls tend to have basic execution protection, some are better than others. SSM has more configurable execution protection that is a little more complex to manage but should do the job for rundll32

Thread Status:
Not open for further replies.