Windows Internals
expert

AppContainers & capabilities

Modern app isolation using AppContainer SIDs and capability grants.

What you should already know

This topic is marked expert. Skim these first if any of them feel unfamiliar.

Access tokensSecurity descriptors & ACLsUAC, integrity levels, and secure desktop

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

ACL & SDDL Lab

Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.

Open lab
View all labs

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

AppContainer isolation

learn.microsoft.com

Why it matters

Store/UWP-style apps and many modern browsers rely on AppContainer isolation beyond classic DACLs and integrity.

Mental model

An AppContainer is a low-trust box. Capabilities are fine-grained holes punched in that box for network, files, or devices.

How it works

  1. 1Processes run with an AppContainer SID plus optional capability SIDs.
  2. 2Resource access checks combine DACL, integrity, and capability policy.
  3. 3Brokers and runtime packages declare which capabilities an app may request.

Key terms

AppContainer
A sandbox identity used for modern application isolation.
Capability SID
A grant that allows a specific class of access for an AppContainer.

A Store app that cannot touch arbitrary files

Even if a folder DACL looks permissive, the app may lack the broad-filesystem capability and remain blocked.

Common misconception

AppContainer is not UAC. It is an additional isolation layer often combined with MIC and brokered access.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Related topic

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Related topic

beginner

GUI & windowing

Sessions, desktops, USER/GDI objects, and the Windows-specific UI machinery above the core kernel.

Related topic

Related topics

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

GUI & windowing

Sessions, desktops, USER/GDI objects, and the Windows-specific UI machinery above the core kernel.

Previous

Privileges (Se*)

Special capabilities in a token beyond normal DACL rights.

Next

I/O system

How Windows turns API requests into IRPs, driver stack work, and device operations.