Application Manager Elevation adds an extra SID into process tokens and can cause script exceptions

Version 1

    Verified Product Versions

    Application Control 8.9Application Control 8.8Application Control 8.7Application Control 8.6Application Control 8.5Application Control 8.4


    An application being elevated with AM can generate

    exceptions (Some or all identity references could not be translated) which if unhandled will cause application crashes.

    The following PowerShell command will generate an exception when executed in a URM elevated PowerShell process but not for a standard user or a UAC elevated PowerShell process:

    foreach ($ref in [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups)
        (new-object System.Security.Principal.SecurityIdentifier $ref.Value).Translate([System.Security.Principal.NTAccount]).ToString()


    Application Manager adds a SID to the token of the process as a tag to indicate it has been elevated by AM.

    This token doesn’t show in Process Explorer on un-elevated processes or UAC elevated processes and cannot be resolved to a local / builtin / domain group name.

    Any script enumerating SIDs in this scenario need to have a catch which will catch the exception and moves onto the next SID if one cannot be resolved.

    EXAMPLE: If the machine is booted up offline, any domain based SIDs will also not be resolvable.

    To workaround this issue, add a custom User Rights Policy to add the ‘BUILTIN\Administrators’ group and set the system privileges in the same way as the builtin elevate policy does.