Is there a way to protect some cryptographic data from applications other than my own in Windows? I'm not concerned about protecting it from the user - this is obviously impossible - but, rather, from non-elevated applications other than my own.
I'm aware that I could simply run the application's core code as a service, with the data accessible only to system accounts, but I would prefer if I could keep the application running under a token not much more permissive than the user's normal token.
Additionally, I would prefer not to have a dependency on .NET if possible.
CryptProtectData can do per-user encryption (it is per-user if you do not pass CRYPTPROTECT_LOCAL_MACHINE flag). However if you opt for per-user encryption, other users including elevated admins won't decrypt it.