OK, that’s it for setting and querying restrictions. Now let’s get back to my
StartRestrictedProcess function. After I place some restrictions on the job, I spawn the process that I intend to place in the job by calling
CreateProcess. However, notice that I use the
CREATE_SUSPENDED flag when calling
CreateProcess. This creates the new process but doesn’t allow it to execute any code. Because the
StartRestrictedProcess function is being executed from a process that is not part of a job, the child process will also not be part of a job. If I were to allow the child process to immediately start executing code, it would run out of my sandbox and could successfully do things that I want to restrict it from doing. So after ...