How to Secure POS Terminals: One‑Click Remote Cleanup and Software Blocking

Background

Store managers report issues such as persistent pop‑ups, system freezes, or unwanted mini‑games occupying the computer.

These problems are often caused by viruses, driver installers, or antivirus software. The usual approach is to use remote tools like TeamViewer, Sunflower, or Desktop to clean the machines, but this requires the store to install and configure remote software.

More Convenient Remote Access

To simplify remote support, a custom one‑click remote tool was developed: after entering the store code, technicians can connect instantly without the store needing to install anything.

Possible ways to achieve one‑click remote access include:

Enterprise‑grade antivirus solutions that provide remote control features.

Enterprise versions of remote software (e.g., TeamViewer) with batch deployment packages.

Open‑source projects on GitHub that can be adapted for remote control.

Removing Abnormal Software

Once remote access is available, unwanted software can be uninstalled quickly. However, relying on manual remote cleanup after each store report is reactive.

A monitoring mechanism is needed to detect stores that have abnormal software installed so that technicians can intervene proactively.

Monitoring Installed Software

Software lists can be retrieved from the Windows registry:

public static List<IAppData> getAllSoftWare() {
    List<IAppData> appDataList = new List<IAppData>();
    RegistryKey Key = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
    // ... read both 32‑bit and 64‑bit paths, filter system components, etc.
    return appDataList;
}

The collected data is uploaded to the cloud to compare with the Control Panel's program list. For non‑installed programs, two additional detection methods are suggested:

Scanning processes (unreliable due to hidden processes using SSDT hooks).

Scanning the file system and matching known signatures (similar to antivirus scanning).

Automatic Deletion of Abnormal Software

Two main obstacles prevent automatic deletion:

Running programs lock files, making deletion impossible.

Antivirus software restricts file permissions and blocks registry modifications.

The tool IObit Unlocker can force‑release file locks and delete files via command line:

runCmd('IObitUnlocker.exe /Delete "absolute\path\to\file"')

After deletion, the unwanted pop‑up can be suppressed by terminating the IObitUnlocker.exe process.

if (/* popup exists */) {
    Process[] processes = Process.GetProcessesByName("IObitUnlocker");
    foreach (Process process in processes) {
        process.Kill(false);
    }
}

Intercepting Software Installation

Two approaches are described:

Group Policy

Using Windows Group Policy (gpedit.msc) to create rules that block execution based on publisher signature, file path, or file hash. Example: block Chrome by denying execution of files in the Google folder.

These policies can also be applied via PowerShell commands such as Import-Module AppLocker, Get-AppLockerPolicy, and Set-AppLockerPolicy.

Windows Hook

By hooking the CreateProcessW API with a library like MinHook, execution of blacklisted programs can be intercepted globally.

// Minimal example of hooking CreateProcessW
static BOOL (WINAPI *fpCreateProcessW)(LPCWSTR, LPWSTR, ...);
BOOL WINAPI HookedCreateProcessW(...){
    if (/* should block */) {
        return true; // block execution
    }
    return fpCreateProcessW(...);
}

The hook DLL is injected globally using SetWindowsHookEx(WH_GETMESSAGE, ...), allowing interception of any process creation, including browsers.

Intercepting Browser Launches

Monitoring WMI events for process creation can detect when a browser is started and terminate it, then present a custom installation UI to guide the store toward approved software.

var queryString = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'";
// Set up ManagementEventWatcher and kill browser processes when detected

Delays inherent to WMI polling and process initialization are noted, making this method suitable mainly for manual browser launches.

Desktop Control

A custom desktop environment replaces the standard Windows UI, presenting only the functions needed for order taking and payment, thereby preventing users from accessing games or installing unauthorized software.

The interface simulates common operations (launching apps, network, shutdown, volume) while restricting everything else.

Conclusion

The article outlines a workflow that starts from store‑reported issues, moves to one‑click remote diagnostics, monitors and automatically removes unwanted software, intercepts installation attempts via policies, hooks, and WMI, and finally enforces a locked‑down desktop environment to keep POS terminals secure.