What technology area does this patent fall under?

Primary CPC classification G06F21/62. Mapped technology areas include Physics.

When was this patent published?

Publication date Thu Aug 08 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Managing privilege delegation on a computer device

US2019243985A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2019243985-A1
Application number	US-201916269963-A
Country	US
Kind code	A1
Filing date	Feb 7, 2019
Priority date	Feb 8, 2018
Publication date	Aug 8, 2019
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A computer device for managing privilege delegation to control creation of processes thereon is described. Creation of a process, in a user account on a computer device, is requested according to first privileges. An agent, cooperating with an operating system of the computer device, intercepts the request. The agent determines whether to create the process according to second privileges, different from the first privileges and if permitted, cause the process to be created accordingly. The agent hooks a query provided by the operating system to identify whether a user account control service is enabled. The agent enquires of the operating system whether to create the process according to the second privileges whereupon the hooked query is invoked. In response to the invoked hooked query, the agent confirms to the operating system that the user account control service is enabled, such that checks by the operating system are performed as if the operating system were enabled.

First claim

Opening claim text (preview).

What is claimed is: 1 . A computer device for managing privilege delegation to control creation of processes thereon, the computer device comprising: a processing circuit; a memory; an operating system; a user account control service cooperating with the operating system; and an agent cooperating with the operating system; wherein the agent is arranged to: intercept a request from a user account of a logged-in user on the computer device to create a process according to first privileges in the user account on the computer device and to obtain information related to the request; determine whether to create the process in the user account on the computer device according to second privileges different from the first privileges, based at least in part on the obtained information, by hooking a query provided by the operating system to identify whether the user account control service cooperating the operating system is enabled, enquiring of the operating system whether to create the process in the user account on the computer device according to the second privileges whereupon the hooked query is invoked and confirming, in response to the invoked hooked query, that the user account control service is enabled; and cause the process to be created according to the second privileges in the user account by the operating system on the computer device, if it is determined to create the process in the user account on the computer device according to the second privileges. 2 . The computer device according to claim 1 , wherein the agent is arranged to intercept the request by hooking the request in a user space, an application space and/or a kernel provided by the operating system. 3 . The computer device according to claim 1 , wherein the agent is arranged to determine whether to create the process in the user account on the computer device according to the second privileges different from the first privileges by examining the information and referencing a policy file. 4 . The computer device according to claim 1 , wherein the agent is arranged to determine whether to create the process in the user account on the computer device according to the second privileges different from the first privileges by prompting the logged-in user via the user account for authorisation and receiving the authorisation therefrom. 5 . The computer device according to claim 1 , wherein the agent is arranged to cause the process to be created according to the first privileges in the user account by the operating system on the computer device, if it is determined to not create the process in the user account on the computer device according to the second privileges. 6 . The computer device according to claim 1 , wherein the agent is arranged to cause the process to be created according to the second privileges in the user account by the operating system on the computer device by delegating the second privileges to the process by providing a token, having the second privileges assigned thereto, to the process. 7 . The computer device according to claim 1 , wherein the user account control service cooperating the operating system is disabled. 8 . The computer device according to claim 1 , wherein the first privileges are associated with a standard user account and wherein the second privileges are associated with an administrator account. 9 . The computer device according to claim 1 , wherein the user account is an administrator account. 10 . The computer device according to claim 1 , wherein the agent is arranged to unhook the hooked query in response to the hooked query being invoked. 11 . A method of managing privilege delegation to control creation of processes on a computer device, the method being implemented by hardware of the computer device including at least a processor and a memory, the method comprising: intercepting, by an agent cooperating with an operating system of the computer device, a request from a user account of a logged-in user on the computer device to create a process according to first privileges in the user account on the computer device and obtaining information related to the request; determining, by the agent, whether to create the process in the user account on the computer device according to second privileges different from the first privileges, based at least in part on the obtained information, comprising hooking a query provided by the operating system to identify whether a user account control service cooperating the operating system is enabled, enquiring of the operating system whether to create the process in the user account on the computer device according to the second privileges whereupon the hooked query is invoked and confirming, in response to the invoked hooked query, that the user account control service is enabled; and causing, by the agent, the process to be created according to the second privileges in the user account by the operating system on the computer device, if it is determined to create the process in the user account on the computer device according to the second privileges. 12 . The method according to claim 11 , wherein intercepting the request comprises hooking the request in a user space, an application space and/or a kernel provided by the operating system. 13 . The method according to claim 11 , wherein determining, by the agent, whether to create the process in the user account on the computer device according to the second privileges different from the first privileges comprises examining, by the agent, the information and referencing, by the agent, a policy file. 14 . The method according to claim 11 , wherein determining, by the agent, whether to create the process in the user account on the computer device according to the second privileges different from the first privileges comprises prompting the logged-in user via the user account for authorisation and receiving the authorisation therefrom. 15 . The method according to claim 11 , comprising causing, by the agent, the process to be created according to the first privileges in the user account by the operating system on the computer device, if it is determined to not create the process in the user account on the computer device according to the second privileges. 16 . The method according to claim 11 , wherein causing, by the agent, the process to be created according to the second privileges in the user account by the operating system on the computer device comprises delegating the second privileges to the process by providing a token, having the second privileges assigned thereto, to the process. 17 . The method according to claim 11 , wherein the user account control service cooperating the operating system is disabled. 18 . The method according to claim 11 , wherein the first privileges are associated with a standard user account and wherein the second privileges are associated with an administrator account. 19 . The method according to claim 11 , comprising unhooking, by the agent, the hooked query in response to the hooked query being invoked. 20 . A tangible non-transitory computer-readable storage medium having recorded thereon instructions which, when implemented by hardware of a computer device including at least a processor and a memory, cause the computer device to: intercept, by an agent cooperating with an operating system of the computer device, a request from a user account of a logged-in user on the computer device to create a process according to first privileges in the user ac

Assignees

Avecto Ltd

Inventors

Classifications

G06F21/62Primary
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
G06F21/45
Structures or tools for the administration of authentication · CPC title
G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
G06F21/604Primary
Tools and structures for managing or administering access control systems · CPC title

Patent family

Related publications grouped by family.

View patent family 61731156

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2019243985A1 cover?: A computer device for managing privilege delegation to control creation of processes thereon is described. Creation of a process, in a user account on a computer device, is requested according to first privileges. An agent, cooperating with an operating system of the computer device, intercepts the request. The agent determines whether to create the process according to second privileges, diffe…
Who is the assignee on this patent?: Avecto Ltd
What technology area does this patent fall under?: Primary CPC classification G06F21/62. Mapped technology areas include Physics.
When was this patent published?: Publication date Thu Aug 08 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).