Just something I noticed from here: https://github.com/google/capsicum-linux Now look at CreateProcess on WinNT, and what it generates as an output argument: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/desktop/ms684873(v=vs.85).aspx Windows already uses a struct for process info. In fact it uses structs for almost everything in kernel space, from what (relatively little) I've read about it. So, what sort of internal changes would be necessary to implement Capsicum style sandboxing on Windows? It seems like it could maybe be done more transparently than on UNIX, without necessarily requiring application support, no?