How to force sandboxing of Services with System privileges?

[ghost]

I have a few apps that can only launch if system service they install are running, but Sandboxie doesn't appear to sandbox services launched with System token. The same services quickly shut down if launched with any token other than System.

Can something be done to force sandboxing or isolation of 3rd party services that launch only with System token?

[offhub]

Have you tried the following settings?
Sandbox Options > Security Options > Advanced Security > Privilege isolation

[ghost]

Yes and it didn't help. The error that shuts down the service in question if it is launched as administrator (without System token) is due to that service unable to load its own WFP library. If launched normally as System service, it never shows up as a running process in Sandboxie, regardless of ForceProcess/Folder settings and directory from where it is launched.

[ghost]

Does Sandboxie affect services/processes that run with System privileges if Sandboxie doesn't list such services/processes as running within any of its sandboxes? I ask because "Privilege isolation" settings in Sandboxie make it sound as if Sandboxie does affect such System-privilege services/processes, but developer states that Sandboxie doesn't have impact on services/processes running with System token.

[ghost]

Is there benefit from starting process Y.exe with SYSTEM token from sandboxed process X.exe with ANONYMOUS LOGON token compared to starting process Y.exe with SYSTEM-token from un-sandboxed process X.exe with ADMINISTRATOR token?

Normally, ANONYMOUS LOGON process X.exe starts process Y.exe with ANONYMOUS LOGON as well, but then process Y.exe crashes due to WFP-related error. The same process Y.exe also starts 2 WFP-related drivers. Allowing a specific OpenPipePath for ANONYMOUS LOGON process X.exe lets process X.exe start process Y.exe with SYSTEM token and nothing crashes that way.

OpenPipePath reduces security and there is a race condition between process X.exe and process Y.exe. They have to share the same mentioned pipe. I can suspend process Y.exe, which works until process Y.exe is manually resumed, but suspension does not prevent the race condition. I can also freeze process Y.exe with "PsFreezeProcess", but process Y.exe unfreezes itself a few minutes later. Is there anything else I can do to secure processes Y.exe and strip it of even more privileges/permissions?

[ghost]

I think another simpler way to put this is to say that "Impersonate a client after authentication" defaults are "LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE". If ANONYMOUS LOGON starts a process with SYSTEM token, then does that SYSTEM token process impersonate ANONYMOUS LOGON user or Administrator? Take in consideration that ANONYMOUS LOGON in this case allows OpenPipePath to the same named pipe generate by process launched with SYSTEM token.