Disable registry access for specific process (WinAPI)

Question

I have a problem I can't seem to find the answer to, though I am sure it is out there. Is there a way I can disable registry and file access for a newly-created process? I am using Job objects ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms682409(v=vs.85).aspx ) and it says to set the permissions for each new job process, and in a few books I have read that things such as registry and file access can be controlled.

While looking for my answer I saw that I needed to add LUIDs for things such as SE_BACKUP_NAME and such (or whatever it is called) but none of those privilege constants seem to reflect the kind of control I want.. So my exact question is: How would I go about disabling registry/file write access for a newly created process in a Job?

I am trying to create a sandboxed-application, btw. This is so I can prevent it from making any changes to the registry or writing any files while it runs.

Any help would be appreciated!

Answer 1

I don't think you can disable access outright as many susbsystems rely on it (COM, the shell, some DLL initialisation, debugging, etc) An alternative would be to allow access, but to a limited sandbox which can be done with the integrity system. Setting it to low integrity will block most write access and is used by protected mode IE.

Answer 2

Windows accesses many resources during process startup, so if you successfully disabled access to the filesystem and registry the process wouldn't start.

Ideally, you'd want access to be restricted after process initialization was complete, but Windows doesn't have a mechanism to do this for arbitrary processes. The sandbox in the Chrome browser relies on the cooperation of the sandboxed process.

The documentation for the Chrome sandbox has a nice overview of the various security mechanisms available in Windows and explains how they are used in Chrome. It's a nice solution if you are trying to sandbox your own code.