Running a process with lowest possible privileges in winapi

Take a look at OpenProcessToken and AdjustTokenPrivileges - this lets you fine-tune (to some extent) the permissions of your process. You can use SaferCreateLevel for some standard rights like SAFER_LEVELID_UNTRUSTED.

Consider running user process inside a job object. Child processes created by the user process will end up inside the same job object too. You can apply specific restrictions to how much resources the job can use, how can it interact with GUI etc (see SetInformationJobObject function). You can kill all processes inside a job object with one blow.

We have a chunk of code for doing this, though I can't post it :(

Create a "restricted" access token based on the access token for this process. Then create a new process for the app with this access token.

Had a comment with the code - More information can be found in the MSDN article called, "Browsing the Web and Reading E-mail safely as an Administrator". However as usual MS has broken the web and the article isn't there any more.

Associated searches found "DropMyRights" app linked on a blog linking to this article which may do what you want, offers up source, but again those links have become broken in the blog page.

you may want to look at functions likeOpenProcessTokenGetTokenInformationCreateRestrictedToken

and privs like SE_CHANGE_NOTIFY_NAME