To what extent can driver loading on Windows be blocked from userspace? What about low-level disk writes? Attempts to flash firmware? Running of unrecognized executables? In short: do basic HIPS features require a kernel-mode driver? Also, can termination protection be done from user space? Finally, where can I find documentation on stuff like this?