Comment by jorvi
2 months ago
No, that is completely wrong and would be nuts. The only way the whole session gets elevated is if you'd launch explorer.exe with an admin token.
The way privilege escalation works on Windows is that pretty much everything gets launched with a standard user access token by default, and processes can request an admin access token in a few ways, UAC being the main one. When a process is supplied that token, that process is elevated.
It is more akin to 'sudo' rather than 'su', which makes sense because its progenitor is 'runas' from Windows 2000.
(Only) the process is elevated, but the process has a window on a shared session, and the OS does not successfully protect processes that share a session (and user, and registry, and disk, etc., etc.) from controlling each other.
From an API point of view, only one process is elevated. From a security point of view, if one process is elevated they all are, due to a lack of any effective mechanism that actually stops them.
No, even then there are things like Mandatory Integrity Control and Windows Message Restrictions / UIAccess. I'd dive into to deeper but I just got home from going out haha. Those terms should help you dig into it though!
I do fully agree that desktop OSes are a legacy security model and they can't hold a candle to that of iOS. Android is getting there, but because it also started from mostly an open all-access model it's been having the same warts.