Advanced Options

Allow child processes will match this application definition

If this box is checked, then any child processes that are launched from this application (or its children) also match this rule. The rules are still processed in order, so it’s still possible for a child process to match a higher precedence rule (or Workstyle) first. Therefore, this option prevents a child process from matching a lower precedence rule. It should also be noted that if an application is launched via an On-Demand rule and this option is selected, then its children are processed against the On-Demand rules, and not the Application Rules. If this option is not selected, then the children are processed against the Application Rules in the normal way. You can further refine this option by restricting the child processes to a specific Application Group. The default is to match <Any Application>, which matches any child process.

If you want to exclude specific processes from matching this rule, then click …match… to toggle the rule to …does not match….

Child processes are evaluated in the context that the parent was executed. For example, if the parent was executed through on-demand shell elevation, then the Privilege Management for Windows client first attempts to match On-Demand Application Rules for any children of the executed application.

Force standard user rights on File Open and Save common dialogs

If the application allows a user to open or save files using the common Windows open/save dialog box, then selecting this option ensures that the user does not have admin privileges within these dialog boxes. These dialog boxes have Explorer-like features, and allow a user to rename, delete, or overwrite files. If an application is running with elevated rights, then the Open and Save dialog boxes allow a user to replace protected system files.

Where present, this option is selected by default to ensure that Privilege Management for Windows forces these dialog boxes to run with the user’s standard rights, to prevent the user from tampering with protected system files.