How to control applications running on my computer? Learn what is Application Control for Windows.
Application Control for Windows
Application Control is s a feature of Network Access Control (NAC) that allows administrators to control which applications can be run on the network. For example, if you have a policy in place that all computers must be running antivirus software, you can enforce this with Application Control. Application Control is a whitelisting technology.
That means that only applications that are known and are allowed to run by the administrator will be allowed to run on the network. Application Control works with both wired and wireless networks and is extremely easy to deploy and maintain. This uses Network Policy Server (NPS) to do its work.
You will need NPS installed and running on your network before you can use Application Control. NPS is included with Windows Server 2008 R2 and Windows 7. So you should already have it installed if you’re using those operating systems. Windows 8 includes NPS as well, but it’s not enabled by default!
Network Forensic Controls
Forensic control is a set of tools that can be used to collect data from the computer after it has been seized. The first step in forensic control is to collect volatile information. Use these tools to collect information from the system’s RAM.
If a system is powered off, this information may be the only way to get information about the activities that happened on the system. A command-line version of this tool is available on Windows XP and later operating systems. This is using the Sysinternals tool named Autoruns.
This tool scans all the registries, files, drivers, and services on a computer. Also, it creates an HTML report that can be viewed by any browser. It can also create a full registry export of all the values on a system.
Using this tool you can determine what programs are currently running. Its programs have been started recently and what programs have changed configuration settings recently. It will also tell you what services are running in each user session on a computer.
You can use this tool to determine which programs have been run on a computer. This is by looking at entries in the Application Logs or Security Event Logs for that computer. Using this tool you can determine what files are currently open on a computer.
This includes which files were opened recently and when they were last used. This tool also lets you look at files that have been accessed in the past (but not necessarily currently open) and when they were last accessed.
Windows Memory Forensics Tool
Windows Memory Forensics Tool (WinMFT) is a Windows command-line application that provides access to raw memory or crash dump (.dmp) files. This is for analysis with other tools. WinMFT supports both live memory analysis and offline analysis of crash dumps or hibernation files (.hiberfil).
The WinMFT was created by Sysinternals founder Mark Russinovich and Bryce Cogswell. He wrote The Rootkit Arsenal book along with Mark. WinMFT works by interfacing with the Windows Debugger (WinDbg). It ships with Microsoft Windows Vista and later operating systems.
So no installation is required beyond downloading WinMFT itself. Moreover, the WinMFT has been tested on x86, x64, Itanium, and ARM architectures using both 32-bit and 64-bit versions of Windows Vista. This runs through Windows 10 Technical Preview 4 (Build 10041).