Background:
I am working on a project that is supposed to control whether an application should be allowed to execute or not as well as handle UAC for the users i.e. a user at the maximum, only sees a customized consent screen and never a credential prompt. I intercept the process and block the execution while our custom code is executing and making some determination about the file (now, process). For some background, running custom code is possible since I use a privilege management system where there is an option to run custom code. There were multiple issues, and, I am more or less past that i.e. the project works. I have tested around ~150 setups (pre and post install) and they all seem to be fine; of course, each of these apps have not been tested thoroughly considering them as out-of-scope as well as there are obviously 1000s of apps out there and covering them is the intention. Now, a few technical decision that was made to make this project possible are anti-best-practice. That said, I still went that route since that seemed to be the only possible solution for this based on my exposure with Windows Internals.
Problem:
Determine if a process is invoked "directly" by a user
Solution:
If an (immediate, not anywhere in the process tree) invoking process matches from a list of processes (e.g. explorer, cmd, powershell, runtimebroker, chrome, firefox), then it has to be invoked directly by user. I know there are edge cases to this (e.g. there are non-direct processes where a parent could match as per this logic). The implementation ensures we gracefully handle them.
Caveat(s):
Since I only allow (directly) user started processes after they meet certain criteria, this is an "explicit deny" logic. I prefer "implicit deny" and "explicit allow"
Ask:
Is there a simple and better way to detect whether a process has been "directly" started by the user? Is there some Windows API that can do this for me? If not, why this is hard to implement or not possible or not worthy?
Whatever suggestions are provided, please share some documentation, if available, as that is going to help in more than one way.