Processes
Process¶
Protected Processes¶
Windows processes can be classified into several types based on their unique characteristics. Key types include:
Protected Processes: Introduced for DRM purposes, they have limited access to other processes and require a special Windows Media Certificate for their executable files. Examples include Audiodg.exe, Mfpmp.exe, and Werfaultsecure.exe.
Protected Processes Light (PPL): An extension of protected processes that allows third-party programs to have similar privileges. The protection level depends on the program's signature. Many Windows system processes are PPL protected.
Minimal Processes: Managed by the kernel, these processes have no user-mode address space, loaded DLLs, PEB or TEB structures, or initial threads. They are for system use only.
Pico Processes: Small processes that use a pico provider driver to manage their execution. The pico provider can act like a separate kernel without the process being aware of the original system. Pico processes are the basis for the Windows Subsystem for Linux (WSL).
Trustlets (Secure Processes): Highly secure processes created by the Windows kernel in response to user-mode application requests. Trustlets rely on Virtual Trust Levels provided by the Hyper-V Hypervisor for isolation and can only import trusted DLLs.
Disabling PPL Protection¶
https://itm4n.github.io/debugging-protected-processes/