a) user uses task manager to kill my process and then runs other programs. The next time my process starts it should notify that it was tampered with.
You could potentially block the user from killing your process in the first place. Check out SetWindowsHookEx with a WH_CALLWNDPROC
hook. You can then use your hook method to see if the message is both lethal (WM_CLOSE
, WM_QUIT
) and directed at your app. Then you can take appropriate action (although be somewhat careful if you decide to block any lethal messages, since you can potentially block your system from shutting down - I haven't checked the interactions between WM_QUERYENDSESSION
/WM_ENDSESSION
and WM_QUIT
, although the WM_ENDSESSION docs suggest WM_QUIT is never called during system shutdown).
b) user disables the mechanism that starts the process on boot (e.g. registry key), reboots the machine, and runs other programs. The next time my process starts it should notify that it was tampered with.
This is honestly quite a bit harder. I'm not sure there's much you can do here, since anything you can monitor to detect a "missed startup" (other running apps, system uptime, etc.) could potentially be turned against you by the following chain of events:
- User disables your app's startup registry entry
- User restarts the system
- User does whatever they want
- User re-enables your app's startup registry entry
- User restarts the system
You could try monitoring the registry key in question, perhaps checking it once just before your app shuts down, and send the tamper warning if it's been destroyed. You can also recreate it at that point. The problem is, you're essentially relying on a chain of protection here: your app needs to be running to determine if the auto-start key is present or missing. If your user is clever, he can bypass that entirely by using a LiveCD/LiveUSB to disable the app's startup registry key, then re-enable it (perhaps with the same LiveCD/LiveUSB) when he sees fit to do so. Or he could just use a LiveCD/LiveUSB to do whatever he wants to do and ignore your app entirely. Ultimately I think your user has the upper hand by default here, unless you can install yourself at the very lowest levels (firmware?). Even then a desperate, tech-savvy user could potentially take out the system's hard drive, put it in a hard drive reader in another computer, and disable the startup key.
I think you'll have to determine how far you want to take this: are you looking for an absolute lockdown that nobody can bypass, or do you just want to hinder normal users from wasting time on a company PC?