Patent attributes
A method is provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system; associating with the security descriptor an isolation indicator that indicates the process runs in an isolation mode; calling a system routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the system routine called by the isolated process; determining whether the system routine is requesting the write on behalf of the isolated process or not; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk or registry resides.