You could enable auditing of object access on the computer and then audit
the executable for the execute permission though it is far from a friendly
user process but the free Event Comb from Microsoft can help you search the
security log for pertinent object access events typically event 560 as show
below as an example for opening of Internet Explorer executable. Of course
you want to configure folder/NTFS permissions so that only authorized users
have access to the application. The links below explain more. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260 --- same
for XP Pro
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/23/2006
Time: 10:18:25 AM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\Internet Explorer\iexplore.exe
<<<<<<<<<<<<<<<<
Handle ID: -2147479888
Operation ID: {0,575462}
Process ID: 2004
Image File Name:
Primary User Name: Steve <<<<<<<<<<<<<
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0xD654)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Execute/Traverse <<<<<<<<<<
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
