I was reading about UAC's implementation on MSDN: http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
Chanced upon this interesting line:
Although AIS is technically the parent of the elevated process, AIS uses new support in the CreateProcessAsUser API that sets the process’s parent process ID to that of the process that originally launched it (see Figure 13).
Here is the MSDN page for CreateProcessAsUser:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx
BOOL WINAPI CreateProcessAsUser(
_In_opt_ HANDLE hToken,
_In_opt_ LPCTSTR lpApplicationName,
_Inout_opt_ LPTSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCTSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
The exert says we can create a process and set a different parent by using options in the API. I am not sure how to do this? Do I need to dig into the token?
This functionality is documented in the MSDN entries for the InitializeProcThreadAttributeList and UpdateProcThreadAttribute functions.
In particular see the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute:
The lpValue parameter is a pointer to a handle to a process to use instead of the calling process as the parent for the process being created. The process to use must have the PROCESS_CREATE_PROCESS access right.