Protected process light and app hardening

Question

Protected process light and app hardening

Vikram Bhagwat 0

Hello Folks,

PPL documentation at https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#introduction says,

"Processes that have UI or a GUI cannot be protected because of the way the kernel locks a process in memory and does not allow writes to it."

What happens to the child processes created by protected process? Above restrictions applies to them as well?

Also, is there any other mechanism you would like to recommend to protect a process with GUI? The idea is to protect the process in such way that no malware can open/read/write into my processes. Malware may running in same user context or with higher privilege.

Perhaps, a process filter driver? Any ideas around this?

-- Vikram

1 answer

Your answer

Answer 1

Xiaopo Yang - MSFT 12,731 Microsoft External Staff

Yes, according to UpdateProcThreadAttribute,

In order to launch the child process with the same protection level as the parent, the parent process must specify the PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL attribute for the child process. This can be used for both protected and unprotected processes. For example, when this flag is used by an unprotected process, the system will launch a child process at unprotected level. The CREATE_PROTECTED_PROCESS flag must be specified in both cases.

Another mechanism I come up with is AppContainer Isolation.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-06-30T07:55:17.8466667+00:00

Hello @Vikram Bhagwat, any update?
Vikram Bhagwat 0 Reputation points

2023-07-05T06:02:14.6333333+00:00

once "PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL" is supplied. Above restrictions applies to created child processes as well? Like child UI processes with UI, are they still protected?
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-07-05T06:09:32.0833333+00:00

Yes when Launching a child process with the same protection level as the parent process.
Vikram Bhagwat 0 Reputation points

2023-07-05T06:12:27.4266667+00:00

but what if the child process has UI?
Vikram Bhagwat 0 Reputation points

2023-07-05T06:13:08.4433333+00:00

But what is the child process has UI?
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-07-05T06:36:57.6033333+00:00

As far as I'm concerned, there is no difference.
Vikram Bhagwat 0 Reputation points

2023-07-05T06:45:36+00:00
https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

Note

Protected Process limitations:

Processes that have UI or a GUI cannot be protected because of the way the kernel locks a process in memory and does not allow writes to it.

Prior to Windows 10, version 1703 (the Creators update), protected processes cannot use the TLS or SSL communication protocols due to limitations of certificate sharing between the Local Security Authority (LSA) and a protected process.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-07-05T06:52:02.5066667+00:00

Then GUI processes cannot be protected because of the limitation. How about AppContainer Isolation?

Share via

Protected process light and app hardening

1 answer

Your answer