In prior versions of Windows, parent processes have complete control over their child processes, and administratively started processes can control other processes. A common malware ploy is to maliciously manipulate an existing legitimate application or service into running a new malicious process. Often the new malicious process will incorrectly appear to the operating system and other defense tools as a legitimate child process. Or a rogue invoked process can modify another completely unrelated legitimate process into doing something malicious.
Windows Vista introduces the concept of protected processes (unfortunately currently focused on DRM technologies and content), which run alongside non-protected processes. Only system and application files digitally signed and belonging to the Windows Protected Media Path (WMPM) can create a protected process. When a process is protected, a non-protected process or thread cannot:
Access the virtual memory area of a protected process
Debug an active protected process
Inject a new thread into a protected process
Impersonate a thread
Set or receive context information
Duplicate a handle from a protected process
There are other process protections, as you can read about at http://www.microsoft.com/whdc/system/Vista/process_Vista.mspx.
Note | Protected processes can be recognized in the Task Manager by locating processes (besides System and System Idle) with no values present in the Data Execution Prevention or Virtualization columns. Enable Show processes from all users and add the Data Execution Prevention and Virtualization columns to the list of columns displayed on Task Manager's Processes view. You can run Vista's Audiodg.exe program as an example. Protected processes appear in Task Manager. |