Page 1 of 1

New Column: AppContainer

Posted: 22 Feb 2019 17:15
by WildByDesign
I would like to request the addition of a new column in Process Hacker that a user can optionally select; AppContainer.

Process Hacker (nightly builds) only labels some process as AppContainer within the Token tab. I propose having two columns because not all Untrusted or Low integrity processes are AppContainer. So I would not suggest to do this the way that Process Explorer has done it.

For an example, please see the TokenViewer binary from James Forshaw's sandbox-attacksurface-analysis-tools. James is Chrome/Chromium's sandboxing wizard for Windows and I believe is also with Project Zero right now. Please see the latest binaries available: ... s/releases

You will see that TokenViewer has two columns: Integrity Level as well as AppContainer

The AppContainer column is quite simple by simply showing True or False.

Personally, if this AppContainer column is implemented, it would be good to also show the more recent LPAC (Less Privileged AppContainer) differentiated from regular AppContainer. So the column contents could be: AC, LPAC or blank.

For some details on LPAC, see:
Essentially relating to the WIN://NOALLAPPPKG security attribute.

@dmex By the way, I want to Thank You for your recent work with adding Capabilities in recent Nightly builds. Absolutely fantastic work!

Thank you for your time.

Re: New Column: AppContainer

Posted: 27 Feb 2019 14:51
by WildByDesign
I forgot to attach a screenshot. I wanted to show a screenshot from the TokenViewer program UI that shows how James Forshaw from Google's P0 team has differentiated between Integrity Level and AppContainer. It just shows AppContainer simply as True or False. However, I would suggest: AC, LPAC, blank

AC - regular AppContainer
LPAC - Less Privileged AppContainer
blank - n/a (process is not within AppContainer sandbox
TokenViewer.png (8.8 KiB) Viewed 4981 times
Thank you for your time.