(In reply to Niklas Baumstark from comment #10) > Maybe this can also be done with just normal ACLs, unfortunately I'm not an expert in Windows security It looks like you can do exactly this, thanks! The CreateProcessAsUser function can take two LPSECURITY_ATTRIBUTES arguments, which allows you to set the security descriptor for the process and thread. If I pass a security descriptor with just the user in the dacl, then the OpenProcess fails, because the normal content processes have the user removed from their access token. Then I found a setting that had been added to the sandbox policy a while ago that doesn't add the Restricted SID and removes the Logon SID from the access token used to create the process. This is what is used to get the security descriptor if null is passed for the LPSECURITY_ATTRIBUTES for the process and thread, so this is a really simple change to achieve the same result.
Bug 1554110 Comment 13 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Niklas Baumstark from comment #10) > Maybe this can also be done with just normal ACLs, unfortunately I'm not an expert in Windows security It looks like you can do exactly this, thanks! The CreateProcessAsUser function can take two LPSECURITY_ATTRIBUTES arguments, which allows you to set the security descriptor for the process and thread. If I pass a security descriptor with just the user in the dacl, then the OpenProcess fails, because the normal content processes have the user removed from their access token. Then I found a setting that had been added to the sandbox policy a while ago that doesn't add the Restricted SID and removes the Logon SID from the ACL on the access token used to create the process. This is what is used to get the security descriptor if null is passed for the LPSECURITY_ATTRIBUTES for the process and thread, so this is a really simple change to achieve the same result.