I expect a problem with this is we rely on being able to set an impersonation token on the initial thread to increase privileges during process initialization. If it's spinning up multiple threads then we won't know about them and some will fail to load DLLs as they'll be running with the more restricted token.

It could be difficult to fix though, the process initialization code is very much a black box. We could hook thread creation and apply impersonation tokens to all new threads but we do try to avoid hacking too much stuff. What would be ideal is MS creating a lockdown API, all it'd take would be kernel calls to disable token groups and restricted groups so that we could start with a less restrictive access token then drop all groups/privileges afterwards (bit like setuid on *nix) but after repeated requests they've yet to do so. If we had that we could drop the impersonation token stuff entirely and everyone would win from a app compat perspective.

Still at least work looking at it to see if there's an easy win, but seems like they'd shim us for the future which in itself is also a problem.