Endpoint Administration Guide for Windows › Protecting Accounts › User Impersonation Protection › User Mode Interception

User Mode Interception

If you enable user mode interception, CA ControlMinder intercepts only the impersonation requests that originate from the Windows RunAs utility. User mode interception is available on all supported Windows versions.

Note: User mode interception is enabled by default when you enable user impersonation protection, that is, when you enable the SURROGATE class.

The advantages of user mode interception include:

• CA ControlMinder identifies the user who made the original impersonation request.

  In many Windows applications, including the RunAs utility, the NT AUTHORITY\SYSTEM user impersonates the requesting user and makes the impersonation request. User mode interception identifies the user executing the utility, not the NT AUTHORITY\SYSTEM user who makes the request. For example, if Tom executes RunAs to impersonate Administrator, the NT AUTHORITY\SYSTEM user makes the impersonation request and CA ControlMinder identifies Tom as the requesting user.

• CA ControlMinder intercepts impersonation requests only when a user executes the RunAs utility.

  This minimizes performance impact.

A disadvantage of user mode interception is that CA ControlMinder does not intercept every impersonation request from every Windows process.