除了PsExec, SAFER 之外, Sandboxie (沙盤) 是另外一種可以限制應用程式的Windows 子系統, 不過其原理不在於限制
權限, 而在於限制儲存時僅能存入
虛擬磁碟 【下載】Sandboxie (沙盤) - 微型影子系統 - PCZONE 討論區 【轉貼】PowerShadow-方便安全的軟體測試平台 - PCZONE 討論區 【轉貼】iThome online : : 揪出資安威脅藏鏡人:傀儡程式 - PCZONE 討論區 How the right user account can help your computer security Windows Administration: Problems of Privilege: Find and Fix LUA Bugs -- TechNet Magazine, August 2006Least-Privilege User Accounts
Determining a true LUA bug
Techniques for fixing LUA bugs
Mark's Blog : PsExec, User Account Control and Security BoundariesThere’s only one catch to the virtual sandbox the restricted token creates: processes running in the sandbox are running as you, and so can read and write any files, Registry keys, and even other processes to which your account has access. That caveat creates major gaps in the walls of the sandbox and malicious code written with awareness of the restricted environment could take advantage of them to escape and become full administrator. An easy way out is for the malware to simply use OpenProcess to gain access to one of your processes running outside the sandbox and to inject into it code and a thread to execute the code.