The following function opens a handle to a process with desired access PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ, in order to call GetProcessMemoryInfo. If the Windows version is not Vista or greater, PROCESS_QUERY_INFORMATION is used instead of PROCESS_QUERY_LIMITED_INFORMATION.

As stated at https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getprocessmemoryinfo PROCESS_VM_READ is only necessary on Server 2003 / Windows XP. It is not necessary for Vista or greater.

This is problematic for protected processes, including anti-malware PPL processes. It is documented at https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights#protected-processes that a process is forbidden from opening a handle to a protected process with PROCESS_VM_READ. Therefore, the call to OpenProcess will fail. Running with SeDebugPrivilege in the process token does not bypass this restriction.

PROCESS_QUERY_LIMITED_INFORMATION is allowed, and therefore the solution is to modify this function to not request PROCESS_VM_READ if running on Vista or greater (or just remove it, if XP is no longer supported). It will then be possible to retrieve memory usage information for protected processes, including many anti-malware processes.

Further reading on AM-PPL: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-