How does a Windows application prevent inspection from the same user that started it, without elevation?
I'm investigating the security measurements used by an application running in Windows 10. The application is started by my local non-admin Windows user and does not try to elevate to administrator during startup. Despite this, trying to inspect the process using Process Explorer or inject a DLL into the process fails.
Process explorer, when being started by the same user that started the other application, just shows "Access denied" for this process. I can't see the image path, what user is running it, etc. If I start it as administrator I do have access and it says that the process is running as my regular user.
Similarly, when trying to inject a DLL into this processes it only works if I run the injector as administrator. If I run it as my regular user the call to OpenProcess fails with error code 5 (Access Denied).
Strangely enough, if I start the application via a debugger (Ollydbg in this case), it does not get "hidden"; I can inspect it using Process Explorer and inject DLLs into it as my regular user.
What kind of security measurement is this and how does it work?
