3

Is there a way to detect a software is starting to install with C#? I found some WMI classes but I can't find related WMI event. If it is possible I want to cancel the installation.

Cem Sönmez
  • 506
  • 1
  • 3
  • 15
  • Do you want to stop installation ? – Tharif Mar 23 '15 at 09:25
  • You could test for `msiexec` to start. Check this [post](http://stackoverflow.com/q/4908906/993547). – Patrick Hofman Mar 23 '15 at 09:26
  • Some security reasons. @SriramSakthivel – Cem Sönmez Mar 23 '15 at 09:26
  • 7
    You should use group policies for this - https://social.technet.microsoft.com/forums/windowsserver/en-US/feb8f197-9aa8-4772-8d9f-c6f7ddb95167/prevent-software-installation-using-group-policy. Or just remove administrator access from the user. This is a solved problem, there's no need to invent a new solution for this that will cause all sorts of maintenance headaches in the future. The chance you can make a better solution than the ones that exists is close to zero. – Lasse V. Karlsen Mar 23 '15 at 09:27
  • Using group policies is not an option for my case right now. I have to do this with some coding. Removing administrator access is preventing me to start necessary programs. – Cem Sönmez Mar 23 '15 at 09:36
  • Process.GetProcessesByName(...) + .Kill() – Ahmad Mar 23 '15 at 09:44

1 Answers1

1

You could monitor key registry locations, such as HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. You would then need to examing keys sych as "InstallLocation" and stop the process you find there from running. You could then also run the UninstallString key. You would also need to remove any settings that allow the program to start, such as a desktop icon, the CurrentVersion\Run and Runonce keys, and the start menu's Startup folder.

Of course this only applies if the application is following basic windows rules. You couldn't rely on targetting only MSIEXEC, since installers such as NSIS scripts are essentially just simple EXE's. You could probably manage 90%-ish accuracy this way, and then rely on a good AV to back you up.

Another, albeit "you-might-as-well-build-an-antivirus" solution would be to monitor common download folders (using .NET's filewatcher?) for EXE files, watch for them to start as a process using a WMI event notification, and then kill the process with the same name. Determining which EXE was in fact a persistent installer would be difficult, and prone to inaccuracy.

NinjaMid76
  • 169
  • 8