How to block Limewire or other executables with an AutoIt script
Recently one of my clients had been notified by their ISP that they were being reported for spam. Up until now I had really only done some work on their main admin computer with some printer issues. At this point I proceed to install and run anti virus and anti spyware programs and cleaned up the machines. Several of them had Limewire installed with a ton of downloaded files. After a few days their ISP called again. At this point I decided it would be best to reinstall the machines since they haven't been touched in six years. They are just running a peer to peer network and they all share their Internet connection through an off the shelf router.
At this point I set out to find a solution to prevent applications like Limewire, Frostwire, Utorrent, and Azureus from running. Group Policy wasn't really an option because they can get around the hash lock downs by using a different version of the program, and the path lock down can be easily bypassed by simply changing the path of the installed program.
Enter AutoIt. If you haven't used AutoIt yet you should go and check it out. You can put together scripts to automate just about anything and then compile them quickly into executables to be used on any machine. I wrote a little program that uses two executables. The main executable called procmon.exe will launch a secondary executable called procmonchk.exe. Both of these executables monitor each other and will launch each other if someone tries to disable either one. Procmon.exe also restarts Avast if they try to shut that down as well. If the program detects Limewire.exe, Frostwire.exe, Utorrent.exe, or Azureus.exe it will terminate that process. The script can be modified to include any process and only takes a few minutes to change and compile. The client is aware of the program and they love it. It is a family business so they aren't going to fire or reprimand the person responsible for the usage of Limewire and other pirating software.
Here is the code for the procmon.exe file, and you will notice that I have an entry that is commented out for ZoneAlarm; I decided not to use the ZoneAlarm entry:
Opt("TrayIconHide", 1) #include <file.au3> $on = 1 $log = 0 $reg_check = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "mrcc") If $reg_check = "" Then RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "mrcc", "REG_SZ", _ "c:\Windows\system32\mrcc\mrcc.exe") EndIf DirCreate("C:\Windows\System32\mrcc\logs") ; Set the path for the log file. $sLogPath = "c:\Windows\system32\mrcc\logs\" & @ComputerName & "-" & @YEAR & "-" & @MON & "-" & @MDAY & "-" & _ @HOUR & @MIN & @SEC & ".log" ; Write the initial startup to the log file. _FileWriteLog($sLogPath, "--- The mrcc.exe program has started on " & @ComputerName & "---" & @CRLF) _FileWriteLog($sLogPath, "Screen Size: " & $screen_resolution) $log = 1 $screen_resolution = @DesktopWidth & "x" & @DesktopHeight While $on = 1 Sleep(1000) ; Check to see if the mrccchk.exe file is running. If not then it starts it. If ProcessExists("mrccchk.exe") Then $mrccchk = 0 Else run("mrccchk.exe") $log = 1 _FileWriteLog($sLogPath, "mrccchk.exe process was started.") Sleep(20000) EndIf ; Check to see if WCapW32.exe is running. If not then it starts it. If ProcessExists("WCapW32.exe") Then $wcap = 0 Else run("C:\Program Files\Witness Systems\QM Agent\WCapW32.exe") $log = 1 _FileWriteLog($sLogPath, "WCapW32.exe process was started.") Sleep(20000) EndIf ; Check to see if the CaptureService.exe is running. If not then it starts it. If ProcessExists("CaptureService.exe") Then $cap_serv = 0 Else Run("c:\Program Files\Witness Systems\QM Agent\CaptureService.exe") $log = 1 _FileWriteLog($sLogPath, "CaptureService.exe process was started.") Sleep(120000) EndIf Select Case $log = 1 _FileWriteLog($sLogPath, "Screen Size: " & $screen_resolution) _FileWriteLog($sLogPath, "Current User: " & @UserName) _FileWriteLog($sLogPath, "IP Address: " & @IPAddress1) RunAs("process", "COMPUTER_NAME", "admin", 0, @SystemDir, @SW_HIDE) FileCopy("C:\Windows\system32\mrcc\logs\*.*", "\\COMPUTER_NAME\MRCC\logs\" & @ComputerName & "\", 9) $log = 0 EndSelect WEnd
Here is the code for the Procmonchk.exe
