The best option is to track the process and remove the ACE. This could be
easily done in an thread which only waits for the process-handle
The second best option is the last in the KB-article:
If you are launching many processes, you might want to add an ACE based on
the processes logon type. For example, this could be either the Interactive
or Batch SID. You would not have to add any additional ACEs for processes
with the same logon type.
If you cannot do this, you must do the enum-process-stuff (which also might
have some side-effects if a process adds a special ACE...).
This is not a small task to do...
You need to open the desired window-station and enum the ACEs here (this is
already described in the KB article you mentioned or here:); you can enum
Then you need to mark all entries which are still valid and used by
After enumeration the processes you could then remove all "unmarked"
entries and set the new ACL.
Here is an example of enumeration processes and displaying the SIDs:
Sorry that I do not have a working example...
My blog about Win32 and .NET