On WHDC, Microsoft has a document entitled "Protected Processes in Windows Vista". While I'm not yet living in Vista-land (though I do visit at least weekly), I don't have my head buried in the sand, either. But I can honestly say that this is the first I've heard about this new type of process introduced in Vista. The new type of process was created "to enhance support for digital rights management functionality in Windows Vista". Heh heh. Seems a bit interesting that DRM is specified as the the driving force behind this.
Anyway, the paper outlines what one can and cannot do with protected processes (from the perspective of utility software that does process reporting and other interaction with processes running on the system). There's really only 3 pages of meat in the document, but it seems like a good overview.
The paper states that "...due to the restrictions of running inside a protected process, the operating system requires that these processes be specially signed". That's a good thing... Imagine malware running as a protected process. Blech.
I'm probably being too literal here, but does the process need to be signed, or is it the binary image on disk that needs to be signed? And what is meant by "specially signed"? Is that something different from the standard implied meaning?
And that statement makes me wonder further - there are restrictions on running inside a protected process? The paper also states that the "primary difference between a typical process and a protected process is the level of access that other processes in the system can obtain to protected processes". This seems contrary to the previous statement. However since the paper is about interacting with protected processes, rather than restrictions that may be imposed upon code running in the context of a protected process, the answers will have to come from elsewhere.
Protected process can pose a "problem if memory scanning is critical to the operation of the application [that wishes to interact with protected processes]". Should be interesting to see how vendors of AV and other security software deal with this new class of process.
Another blurb at the bottom of the document caught my attention...
What? I'm ignorant. What does this mean: "may rely on the fact that protected processes...run in a contained environment". What happens if a kernel-mode component plays with "the memory of a protected process"? Nothing may happen now, but it could break things later? If anyone would care to provide clarification, I would appreciate it.
Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment.
Also Channel 9 has a video on Process Management in Windows Vista which I have yet to find time to watch. The summary states:
Vista introduces a new type of process called a protected process. What are "protected processes"? How do they work?I suspect that at least some of my questions will be answered there.
Doesn't look like Process Explorer yet detects / identifies protected processes. The feature isn't listed on the program page, and searches don't turn up much:
Google Groups Search
Sysinternals Forums Search