Sometimes I like to play with new malware before I clean it and want to auto-kill it's executable files on launch.
The following command creates a registry entry to do that.
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\malware.exe" /v Debugger /d Disabled
This attaches a disabled debugger to the .exe, effectively shutting it down.
Problem:
Windows assumes it can't locate the .exe and may pop up error notifications.
It can also fill up event logs - especially if malware.exe launches frequently.
So I tried a couple of things and this seems to work without popups or logging any errors.
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\malware.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\taskkill.exe /F /IM malware.exe"
Instead of a disabled debugger we use a bogus one (taskkill) that shuts the executable down immediately upon launch.
I've also used this to quickly+easily prevent other apps from launching, especially if Group Policy isn't available.
One example - a fast way to prevent Avira popups
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\avnotify.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\taskkill.exe /F /IM avnotify.exe"
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\ipmgui.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\taskkill.exe /F /IM ipmgui.exe"
which is quickly reversed by running these two commands
reg delete "hklm\software\microsoft\windows nt\currentversion\image file execution options\avnotify.exe" /f
reg delete "hklm\software\microsoft\windows nt\currentversion\image file execution options\ipmgui.exe" /f
One advantage over a Group Policy Software Restriction is that this approach isn't path dependent.
It is easily defeated by renaming the executable, however - providing someone (or the malware algorithm) happens to try that.