Since creating a process on NT system requires calling a subset of native API (NtCreateFile, NtCreateSection, NtCreateProcess) you can hook one or all of them (there are several ways), check the file/process which is going to start and block/permit the operation basing on user reaction, registry setting, driver loaded settings or etc… On this way you can create a flexible solution for monitoring processes start up on your system.
Yes, but what if you wanted to allow everything to run as “normal” except for one command? This is why I considered allowing the stream from the server but modifying it. There are commands coming from the server that I need. I only want to eliminate one of them (at present).
-pj