(In reply to Watchdog)
That's true, but considering it's already possible through /run, or, if user locked it, through COM objects, why not to add an internal support?
I think that extended lock dialog, as suggested before, would be the best way of protecting yourself against malicious stuff.