Often to IB (Internet cafes) people know, a lot of software is forbidden to run, such as some download software: Thunder, BT, Emule; Rogue software: Icibadown.exe Dou Dou, yassistse.exe Yahoo Online assistant; There are also some destruction software and so on, are forbidden to run. These software or processes open a flash off, some pop up a cmd window, but also a flash of the past; there is a popup dialog box that says "This operation has been banned by the network gly", so many, is not let you use, presumably everyone is very depressed!
In fact, each of the prohibited methods have different display effect, such as the above third case is prohibited by Group Policy, but not often used in software, mainly for the various functions of the computer or tab, such as prohibit "run", delete the "Map Network Drive" tab, delete "New task" button on the explorer, etc. Just go into C:\WINDOWS\system32 and open the GPEdit Group Policy and modify it yourself.
But most of the software is not so simple to modify, through the two days of research, and finally always study the IB is a way to prohibit the operation of the software, a very simple method. To say the method, or from the first two days to do an experiment to talk about. That day from the internet down a thunderbolt, after installation can not run, flash disappears, and then call up the task Manager and then run to find a program with the Thunderbolt Open, is also a flash on the automatic disappeared, showing time is very short, but still see clearly, is a call PTarget.exe program, from the online query learned is the network dimension Master's satellite program, this program is the Security Center with image hijacking method to prohibit the process of the program. Know after the suspicion is from the network master to prohibit the program to run, and later looked at the network Master's official website and the inquiry after learned that the network dimension Master's Security Center is controlled by ProcessSafe.exe, the client in E:\NBMSClient\ A Processsafe.ini configuration file is generated under the Processsafe directory, and the Forbidden program name and the forbidden characters and URLs can be seen from Processsafe.ini. Describe the meaning of the name in Processsafe.ini:
[Processdeny] is a restricted process [hostsdeny] is a restricted URL [Windowdeny] is a restricted title [Processprotect] is a protected process (such as the web-dimensional master itself)
Once you know it, just change it and let ProcessSafe.exe reload it again, but ProcessSafe.exe itself starts with the startup of the computer and cannot end the process in Task Manager:
If the restart of the modified content will be invalidated, so can only now directly force the end of the ProcessSafe.exe, after being closed, the contents of the configuration file will not be the tube. But with a lot of methods can not end the process, and then inadvertently thought of NTSD command, with ntsd command 100% no problem, I repeat the NTSD command, with the NTSD to end the format of the process:
Method 1. ntsd-c q-p PID
Method 2. Ntsd-c Q-PN ImageName (for example: Ntsd-c q-pn qq.exe)
NTSD, followed by-C, means the debug command is executed
Q indicates exit (quit) after execution ends
-P means the PID that follows the process that you want to end
-PN means that the name of the process that follows is the one you want to end (Process_name.exe such as: Qq.exe,explorer.exe, etc., it is worth noting that the suffix. exe is not omitted, otherwise the system will tell you "this interface is not supported")
Only system and SMSS are used when using NTSD. EXE and CSRSS.EXE cannot be killed. The first two are pure kernel state, the last one is the WIN32 subsystem, NTSD itself needs it. NTSD from Win 2000 is the system comes with the user-state debugging tools. A process that is attached to the debugger (attach) exits with the debugger, so it can be used to terminate the process at the command line. Debug permissions are automatically obtained using NTSD, which kills most of the process. Of course, ProcessSafe.exe is a cinch.
Say dry, open Notepad, write "Ntsd-c q-pn ProcessSafe.exe" (really write without quotation marks), and then save as *.bat or *.cmd file, then run it on the line.
Let's look at the effect:
After 30 seconds, you will find that the task Manager ProcessSafe.exe disappears, the blockade is lifted, but, do not be happy too early, after more than 10 seconds will be found ProcessSafe.exe re-out of the task manager, so as to prevent it from re-running can only be deleted at the end of it, when it is run can not be forced to delete, deleted after Will not appear again, at this time, the blockade is really lifted!
If a lazy person like me would just add one line to the back:
Ntsd-c Q-PN ProcessSafe.exe
Del E:\NBMSClient\ProcessSafe.exe (I am here is the E-drive, do not know whether the network dimension is installed to this location by default, not to find it yourself)
OK, now all the banned software and Web pages can be run and accessed. There is time to paste the method of using Group Policy to remove some of the functionality. See if the time is allowed ~
If the Internet cafes do more absolutely, such as directly to the NTSD program removed from the computer, then you can only download the original program online.
--Originally published in 2008-11-9
Crack the software running blockade of internet cafes