| CPC G06F 21/44 (2013.01) | 10 Claims |
|
1. A method for implementing a privilege management agent in an operating system having User Account Control (UAC), the privilege management agent having pre-defined application control policies and an application control service (ACS), the privilege management agent used to process elevation requests to provide a token to allow a process running under a user account to run as an elevated process based on a pre-defined process access policies, the method comprising:
after a process having a primary access token is launched without an elevation request, said ACS evaluating said process and said pre-defined process access policies for a match which would allow said process to run as a process with elevation,
if said ACS does not find a matching policy, allowing said process to run with a restricted access token;
if said ACS finds a matching policy, applying said matching policy to said process to allow said process to run with elevated rights,
wherein one of said pre-defined access policies selectively restricts said primary access token and/or creates an alternate access token for use by an injected application control code, said method further comprising:
temporarily halting said process, said ACS injecting said application control code into said process;
if said alternate access token was created, injecting said alternate access token into said process;
resuming said process;
if said process calls an API function that is under application control, said injected application control intercepting said API function call and transferring execution of said process to a wrapper function;
said wrapper function evaluating settings provided by said application control;
said wrapper function returning an access denied error if said settings do not allow the function call to proceed;
said wrapper function allowing the function call to proceed, if said settings allow the function call.
|