Re: Colour me stupid but...
I don't know, but if I were asked to implement such a feature then here's how I'd do it.
Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.
Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)
The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.
Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.
Biting the hand that feeds IT
