Windows workflow protection

Lock down critical clicks on production PCs.

Touch Guard is a secure, self-updating Windows utility that blocks user interaction in a precise region of vbm.bco.exe, so operators can’t bypass the workflow you’ve approved.

Overlay blocker for vbm.bco.exe

Silent tray app · Auto-start

Hash-verified remote updates

⬇ Download Setup Contact via email Explore capabilities →

Designed for locked-down PCs · No hardcoded secrets · Scales from a single line to multiple sites.

Touch Guard · Site 03

Protected application

vbm.bco.exe Overlay active

Blocker: Site Rectangle #1

Clicks inside this region are blocked while the workflow is in the protected step.

Position: X=1240 Y=190 · Size: 420×210

Tray control

Password required

Visible / invisible mode

Status label

ProgramData config · Auto-save

Protection status

Blocker, tray, password

All safeguards on

Remote update channel

latest.json · touch-guard.net

v1.4.2

Unauthorized changes

Attempts in last 24h

Capabilities

Everything you need to enforce one critical workflow.

Workflow protection

Keep critical steps locked behind a controlled click-safe zone instead of relying on training alone.

Overlay blocker tied to a precise rectangle in vbm.bco.exe.
Visible (highlighted) or invisible overlay per site policy.
Status label that can be shown or hidden for operators.
Enable / disable from the system tray with a password.

Operations-friendly

Built for live production PCs where stability and clarity matter more than flashy UI.

Runs as a small background utility in the tray.
Auto-starts after reboot via a startup shortcut.
Installed cleanly into Program Files; settings in ProgramData.
No desktop icon cluttering production machines.

Security & integrity

Designed to pass security review, without embedded secrets or risky update logic.

Password required for critical actions and configuration changes.
Password stored as a salted SHA‑256 hash, not plain text.
No hardcoded credentials or tokens inside the binary.
Compatible with locked-down, non-admin operator accounts.

No hardcoded secrets

Password hashing

Operator-safe

Configurable without code

Adjust the block region and visual behavior without rebuilding the application.

Settings dialog for position, size, and visibility.
Reset-to-defaults option for quick recovery.
All settings stored and auto-saved in ProgramData.
Works across reboots and software updates.

For IT & security

Production-ready by design.

Locked-down friendly

Touch Guard is deployed with a standard Windows installer (Inno Setup), installs into Program Files, and stores configuration in ProgramData so it fits golden images and locked-down endpoints.

No changes to user profiles required.
Runs under standard user accounts after deployment.
Can be started via Startup folder or scheduled task.
Minimal footprint and predictable behavior.

Security posture

The tool is designed to be easy to explain to security reviewers and auditors.

No embedded credentials, API keys, or shared secrets.
Password-based actions use salted SHA‑256 hashing.
All remote update URLs are under touch-guard.net.
Update packages verified via SHA‑256 hash before install.

Approval package

Provide IT with a concise bundle that explains how Touch Guard behaves.

1-page technical overview for architecture and data flow.
Update channel description with sample latest.json.
List of file system and registry touchpoints.
Change-log and versioning template for updates.

Support & deployment

Roll out Touch Guard once, then maintain it remotely.

Silent install and upgrade options for IT-driven deployment.
Same installer can be used across multiple sites.
No on-site work needed to roll out new versions.
Clear rollback strategy through installer-based updates.

Installer-based lifecycle

Silent upgrades

Remote update system

Control every site from touch-guard.net.

Simple JSON manifest

Each endpoint checks a small JSON file hosted under your Cloudflare-powered domain.

latest.json contains version, download URL, and SHA‑256 hash.
Endpoints compare their local version with the manifest.
If an update is available, they download and verify the installer.
Only a hash match triggers installation.

Silent rollout

Operators stay focused on production while the system keeps itself current.

Silent installer runs with no UI during upgrade.
Touch Guard restarts automatically after update.
No RDP sessions or on-site visits required.
Version history tracked through your change-log.

Domain control

All update traffic goes through touch-guard.net, making it straightforward to audit and secure.

HTTPS-only endpoints using your TLS configuration.
Optionally restrict manifest access by IP or path rules.
Static hosting for predictable behavior.
Easy to integrate with your existing pipeline.

Next steps

Once IT is comfortable with the approach, you can standardize remote updates as part of your internal tooling strategy.

Reuse the update pattern for other internal utilities.
Automate manifest publishing from your build process.
Maintain a single source of truth for versions.
Turn updates into a routine, not a site visit.

Manifest-driven updates

Cloudflare-friendly

Trusted by

Organizations running Touch Guard in production.

💊

Central Pharmacy Services

A subsidiary of Shoppers Drug Mart

Active deployment

Central Pharmacy Services relies on Touch Guard to lock down critical click regions in their production workflow application (vbm.bco.exe), preventing accidental operator input during sensitive dispensing and verification steps across multiple pharmacy sites.

Pharmacy operations Multi-site deployment Remote updates Workflow protection

Is your organization using Touch Guard?
Get in touch to be featured here or to request a tailored deployment package.