A protected execution agent installs itself within a file system manager
on the computer to control modifications to a protected execution
environment by intercepting I/O requests from applications. If an
unauthorized application attempts to modify the protected execution
environment, the protected execution agent terminates the original I/O
request and creates a redirect I/O request that specifies a corresponding
directory path within an alternate environment. The requested I/O
operation is a carried out by the file system against the alternate
environment. A configuration utility is responsible for determining which
installed applications are authorized to change the protected execution
environment. The configuration utility also establishes a parent-child
relationship between an unauthorized application that invokes or "spawns"
an authorized application, with the authorized child application being
considered unauthorized when performing processes on behalf of the
unauthorized parent application.