@MotoX80
Well, I have not built an app, this is a framework where other applications operate in (e.g. Microsoft Word, WinRAR, WinZip, Zoom). I want to control what applications can be installed and then further be operated just fine. So, to that extent, this is a privilege management system. For comparison, and if you are familiar, imagine an amalgamation of SRP and AppLocker, with more things (e.g. security token swapping/replacement).
So, talking WinForms won't be correct, as I don't inject/control anything in any app. I hook into Windows Kernel. I am assuming I am at the right place asking all these questions though, yeah?
Now, in theory, it does looks like that in order to "truly" (like, really truly) detect if it was a user who just opened (well, tried to since I intercept it right away before allowing it) an application (whether via Desktop, Start Menu, pinned shortcut, and so on), things that go into this are: input device and/or location of cursor AND immediate parent process.