Good day!

I would like to know if using WinAPI or .NET is possible (hardly) to restrict the running process access to the computer's file system (completely prohibit changes or only allow changes to be made in certain directories)?

If there is such an opportunity, please suggest how to use it. I will be grateful.

PS I know that in Linux there is a setrlimit system call, alas, I did not find an analogue for Windows ...

  • one
    You can run the process on behalf of a user with limited rights. - VladD
  • I know this method is currently implemented. But I would like to do it programmatically and specifically for the specified process / all child processes. - Sirkadirov
  • one
    Well, this can be done programmatically. In addition, you can explicitly create a restricted security token using the CreateRestrictedToken in theory. You can start the process through CreateProcessAsUser and pass the token there. - VladD
  • @VladD: Thank you! 2nd option came up. Send it as an answer. - Sirkadirov

1 answer 1

You need the CreateProcessAsUser function. It allows you to start the process on behalf of another user to whom you can “write out” limited rights.

If you want to further restrict the rights to your process, you can create a new access token using the CreateRestrictedToken , in which you leave only the rights that are really necessary to the process.

Apparently, you can also use the tools built into .NET, as in this example . The code to start the process, apparently, must be placed inside

 using (WindowsImpersonationContext impersonatedUser = newId.Impersonate()) { ... }