для блокировки юзают софт FSPro Labs. в реестре в параметре EntryData прописаны правила блокировки кучи софта, ав и т.п.
<File Path="C:\Windows\System32\Drivers\FSPFltd.sys" Size="55440" CreationTime="14.05.2017 04:41:30" LastAccessTime="28.07.2017 02:44:45" LastWriteTime="06.06.2008 12:35:46">
<Attributes Archive="true" Value="00000020" />
<Hash MD5="BCE299C96E94670680B72B1D4476EAA8" SHA256="F575B63FD2E69A94F4763F9FEA8D10CEED16D3ED22924D4E750612BF4106E8BA" SHA1="A72295B90737FCA2BB7399EE8C2920CBE5516C45" />
<ArkStatus File="signed, pe64, driver (0x600200)" Cert="signed (0x2)" TStorm="unknown (0xFFFFFFFF)" />
<FileInfo>
<Translation Language="1033" CodePage="1200" CompanyName="FSPro Labs" FileDescription="FSPro File System Filter" FileVersion="2008" InternalName="FSPro File System Filter" LegalCopyright="Copyright (C) Alfa Corporation 1999-2008" OriginalFilename="fspfltd.sys" ProductName="FSPro File System Filter" ProductVersion="2008" />
</FileInfo>
<CertInfo Status="signed" TimeStamp="05.06.2008 17:37:33">
<Signature Subject="C=YU|CN=Dejan Maksimovic" Issuer="C=BE|O=GlobalSign nv-sa|OU=ObjectSign CA|CN=GlobalSign ObjectSign CA" Thumbprint="d81bc7840fcb9214099bf97000f2e891ff9be764" SerialNumber="010000000001188a4ebd89" NotBeforeTime="07.03.2008 17:34:19" NotAfterTime="07.03.2009 17:34:19" />
<Signature Subject="C=BE|O=GlobalSign nv-sa|OU=ObjectSign CA|CN=GlobalSign ObjectSign CA" Issuer="C=BE|O=GlobalSign nv-sa|OU=Primary Object Publishing CA|CN=GlobalSign Primary Object Publishing CA" Thumbprint="4a19146d67bd20843a3a0713587557bf519213cc" SerialNumber="04000000000108d9612448" NotBeforeTime="22.01.2004 09:00:00" NotAfterTime="27.01.2014 10:00:00" />
<Signature Subject="C=BE|O=GlobalSign nv-sa|OU=Primary Object Publishing CA|CN=GlobalSign Primary Object Publishing CA" Issuer="C=BE|O=GlobalSign nv-sa|OU=Root CA|CN=GlobalSign Root CA" Thumbprint="987fd000dcb121517d72453ee5176eb92b1363b9" SerialNumber="04000000000108d9611cd6" NotBeforeTime="28.01.1999 12:00:00" NotAfterTime="27.01.2014 11:00:00" />
<Signature Subject="C=BE|O=GlobalSign nv-sa|OU=Root CA|CN=GlobalSign Root CA" Issuer="C=BE|O=GlobalSign nv-sa|OU=Root CA|CN=GlobalSign Root CA" Thumbprint="b1bc968bd4f49d622aa89a81f2150152a41d829c" SerialNumber="040000000001154b5ac394" NotBeforeTime="01.09.1998 12:00:00" NotAfterTime="28.01.2028 12:00:00" />
</CertInfo>
</File>
эти попали в поле зрения как спрятанные от юзермода. ArkStatus File=..., hidden
<File Path="C:\windows\inf\axperflib\0010\0011\000a\0010\mms.exe" Size="8192" CreationTime="14.05.2017 04:25:54" LastAccessTime="28.07.2017 03:37:48" LastWriteTime="18.04.2003 16:06:26">
<Attributes Archive="true" Hidden="true" System="true" Value="00000026" />
<Hash MD5="4635935FC972C582632BF45C26BFCB0E" SHA256="ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1" SHA1="7C5329229042535FE56E74F1F246C6DA8CEA3BE8" />
<ArkStatus File="unsigned, pe32, hidden (0x100100400)" Cert="unsigned (0xC0000010)" TStorm="unknown (0xFFFFFFFF)" />
<CertInfo Status="unsigned" />
</File>
<File Path="C:\windows\inf\axperflib\0010\0011\000e\0015\mms.exe" Size="8192" CreationTime="14.05.2017 04:25:55" LastAccessTime="28.07.2017 03:37:51" LastWriteTime="18.04.2003 16:06:26">
<Attributes Archive="true" Hidden="true" System="true" Value="00000026" />
<Hash MD5="4635935FC972C582632BF45C26BFCB0E" SHA256="ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1" SHA1="7C5329229042535FE56E74F1F246C6DA8CEA3BE8" />
<ArkStatus File="unsigned, pe32, hidden (0x100100400)" Cert="unsigned (0xC0000010)" TStorm="unknown (0xFFFFFFFF)" />
<CertInfo Status="unsigned" />
</File>
<File Path="C:\windows\inf\netlibrariestip\000d\1049\5.0\1049\5.0\mms.exe" Size="8192" CreationTime="14.05.2017 04:25:25" LastAccessTime="28.07.2017 03:37:37" LastWriteTime="18.04.2003 16:06:26">
<Attributes Archive="true" Hidden="true" System="true" Value="00000026" />
<Hash MD5="4635935FC972C582632BF45C26BFCB0E" SHA256="ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1" SHA1="7C5329229042535FE56E74F1F246C6DA8CEA3BE8" />
<ArkStatus File="unsigned, pe32, hidden (0x100100400)" Cert="unsigned (0xC0000010)" TStorm="unknown (0xFFFFFFFF)" />
<CertInfo Status="unsigned" />
</File>
<File Path="C:\windows\inf\netlibrariestip\000d\1049\5.0\sql\lsm.exe" Size="8192" CreationTime="14.05.2017 04:25:25" LastAccessTime="28.07.2017 03:37:37" LastWriteTime="18.04.2003 16:06:26">
<Attributes Archive="true" Hidden="true" System="true" Value="00000026" />
<Hash MD5="4635935FC972C582632BF45C26BFCB0E" SHA256="ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1" SHA1="7C5329229042535FE56E74F1F246C6DA8CEA3BE8" />
<ArkStatus File="unsigned, pe32, hidden (0x100100400)" Cert="unsigned (0xC0000010)" TStorm="unknown (0xFFFFFFFF)" />
<CertInfo Status="unsigned" />
</File>
<File Path="C:\Windows\system32\wscript.exe" Size="161280" CreationTime="22.08.2013 11:01:16" LastAccessTime="28.07.2017 03:38:34" LastWriteTime="22.08.2013 11:01:02">
<Attributes Archive="true" Value="00000020" />
<Hash MD5="C15B3FE9B7AB65A984B7BFD1382DE43E" SHA256="1C98B22C2B86CD645D46224F9CA448E275521AEE6B5E1C7D8B0A22D2C82E6822" SHA1="7DDE0549D3078EE472D150D07C9ACA120A65B61C" />
<ArkStatus File="signed_catroot, sfc_protected, script_vm, pe64, hidden (0x100292000)" Cert="signed_catroot (0x1)" TStorm="unknown (0xFFFFFFFF)" />
<CertInfo Status="signed_catroot" />
</File>
<File Path="C:\windows\syswow64\fsproflt.exe" Size="73392" CreationTime="14.05.2017 04:41:30" LastAccessTime="28.07.2017 03:38:15" LastWriteTime="03.05.2009 08:22:28">
<Attributes Archive="true" Value="00000020" />
<Hash MD5="A21CAD3667CAC39A137B29932EBA39EC" SHA256="523C92E287606D1BBBDF38BB10EC2CB4AD3BF4D828470B61381827CA00DE319D" SHA1="45F394BD0AC2CE9983E7417DC20AFC675C5CBFC3" />
<ArkStatus File="signed, pe32, hidden (0x100100200)" Cert="signed (0x2)" TStorm="unknown (0xFFFFFFFF)" />
<FileInfo>
<Translation Language="9" CodePage="1200" CompanyName="FSPro Labs" FileDescription="FSPro Labs Filter Service" FileVersion="3, 2, 0, 39" InternalName="fsproflt" LegalCopyright="Copyright (C) 2008-2009 FSPro Labs" OriginalFilename="fsproflt.exe" ProductName="FSPro Labs Filter Service" ProductVersion="3, 2, 0, 0" />
</FileInfo>
<CertInfo Status="signed" TimeStamp="03.05.2009 08:22:28">
<Signature Subject="C=RU|ST=RO|L=Taganrog|O=FSPro Labs|CN=FSPro Labs" Issuer="C=US|ST=UT|L=Salt Lake City|O=The USERTRUST Network|OU=http://www.usertrust.com|CN=UTN-USERFirst-Object" Thumbprint="a2e20290e3e7e16ef31f5ac2b64f0eea30318742" SerialNumber="784f226b45c3bd8e4089243d747d1f59" NotBeforeTime="23.02.2009 00:00:00" NotAfterTime="23.02.2011 23:59:59" />
<Signature Subject="C=US|ST=UT|L=Salt Lake City|O=The USERTRUST Network|OU=http://www.usertrust.com|CN=UTN-USERFirst-Object" Issuer="C=US|ST=UT|L=Salt Lake City|O=The USERTRUST Network|OU=http://www.usertrust.com|CN=UTN-USERFirst-Object" Thumbprint="e12dfb4b41d7d9c32b30514bac1d81d8385e2d46" SerialNumber="44be0c8b500024b411d3362de0b35f1b" NotBeforeTime="09.07.1999 18:31:20" NotAfterTime="09.07.2019 18:40:36" />
</CertInfo>
</File>
вот этих
C:\windows\inf\axperflib
C:\windows\inf\netlibrariestip
в вирлаб.
Сообщение было изменено Konstantin Yudin: 05 Август 2017 - 15:57