Help CenterNote: This feature is currently only available on Windows machines and requires ThreatLocker Windows Agent Version 10.6.2 or greater.
Whenever an application is opened on a machine, there is always a parent process that is used to open it. In logs found in ThreatLocker, this parent process is displayed as the 'Process Path'. This parent process is typically an application located in our Windows Core Files (Built-In) or a process directly associated with the executed application itself. ThreatLocker now allows users to restrict an application to be opened only by specified applications that match the Process Path. This article explains how to create a policy that restricts applications from being opened by any process other than a specified parent process.
Applying Parent Process Restrictions
To access this feature, navigate to the 'Modules' dropdown on the left-hand side of the portal and select 'Application Control' from the list.
Now in 'Application Control', select the 'Policies' tab found in the top right corner of the page, or choose the '+ New Policy' button. For questions about creating a new policy, please navigate to the following article:
ThreatLocker Application Control Quick Start Guide | ThreatLocker Help Center
Create your policy as usual if you are creating a new policy. If you are editing an already-existing one, navigate to the 'Conditions' section of the 'Edit Application Policy' page. Please note that this feature is only available for Windows machines, meaning that opening or creating a policy for anything other than Windows will not display this feature. In the 'Conditions' section, locate the switch labeled 'Restrict to the following parent processes?'
Switching this 'on' will display a new field to insert application names into, populating a list of Built-In applications and applications from your organization to choose from.
Note: Keeping this switched turned off will allow the application you have selected to execute via any Process Path.
Insert the names of known applications you would like to permit to execute this application. Many applications might be executed from explorer.exe, which is the File Explorer and is part of the 'Windows Core File (Built-In)' application. Other applications might have a process path from Microsoft Edge or Google Chrome, such as an installation file. Using the Unified Audit, you can monitor which applications are known to execute the application.
Note: You must enter at least one application in this field if you opt to use this feature.
Once you have entered the expected applications, select 'Save' or 'Create' at the bottom of the page and ensure that you deploy policies.
When an application is executed and matches this policy, ThreatLocker verifies that the parent process path matches at least one of the configured restrictions. If a match is found, the application is permitted and runs as expected.
If the parent process path does not match any of the specified restrictions, this policy is not applied. ThreatLocker will continue evaluating other applicable application control policies, and the application will be denied only if no other permit policy is matched.
Because policy evaluation continues, the application may still be permitted by a different applicable policy. This behavior differs from application Ringfencing, which explicitly restricts the selected application rather than allowing it to be permitted by another policy.
You can monitor the Unified Audit after applying this policy to ensure that expected process paths for an application are included in the list of permitted parent processes.