Apps See Which Apps are Running in an AppContainer in Windows 11

This tutorial will show you how to see which apps are running in an AppContainer in Windows 11.

Starting with Windows 11 build 26100.8524 (24H2) and build 26200.8524 (25H2), Microsoft is adding a new optional Isolation column to the Processes and Details pages in Task Manager, allowing you to see which apps are running in an AppContainer.

Isolation is the primary goal of an AppContainer execution environment. By isolating an application from unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting access based upon least-privilege prevents applications and users from accessing resources beyond their rights. Controlling access to resources protects the process, the device, and the network.

Most vulnerabilities in Windows start with the application. Some common examples include an application breaking out of its browser or sending a bad document to the browser, as well as exploitation of plugins and extensions. The more these applications can be isolated in an AppContainer, the safer the device and resources are. Even if vulnerability in an app is exploited, the app cannot access resources beyond what is granted to the AppContainer. Malicious apps cannot take over the rest of the machine.

Credential isolation
Managing identity and credentials, the AppContainer prevents the use of user credentials to gain access to resources or login to other environments. The AppContainer environment creates an identifier that uses the combined identities of the user and the application, so credentials are unique to each user/application pairing and the application cannot impersonate the user.

Device isolation
Isolating the application from device resources, such as passive sensors (camera, microphone, GPS), and money pumps (3G/4G, dial phone) the AppContainer environment prevents the application from maliciously exploiting the device. These resources are blocked by default and can be granted access as necessary. In some cases these resources are further protected by 'brokers'. Some resources, such as keyboard and mouse, are always available to the AppContainer and resident application.

File isolation
Controlling file and registry access, the AppContainer environment prevents the application from modifying files that it should not. Read-write access can be granted to specific persistent files and registry keys. Read-only access is less restricted. An application always has access to the memory resident files created specifically for that AppContainer.

Network isolation
Isolating the application from network resources beyond those specifically allocated, AppContainer prevents the application from 'escaping' its environment and maliciously exploiting network resources. Granular access can be granted for Internet access, Intranet access, and acting as a server.

Process isolation
Sandboxing the application kernel objects, the AppContainer environment prevents the application from influencing, or being influenced by, other application processes. This prevents a properly contained application from corrupting other processes in the event of an exception.

Window isolation
Isolating the application from other windows, the AppContainer environment prevents the application from affecting other application interfaces.

Reference:



Here's How:

1 Open Task Manager (Ctrl+Shift+Esc).

2 Click/tap on Processes or Details in the left pane to open the page you want in Task Manager. (see screenshots below)

3 Add the Isolation column to the Processes or Details page if you haven't already.



4 You will now see AppContainer in the Isolation column for any app or process currently running in an AppContainer.




That's it,
Shawn Brink