Why can you suspend werfaultsecure.exe?

[OevreFlataeker]

Hi, I am wondering why you can actually suspend werfaultsecure.exe, as werfaultsecure.exe is in-turn a signed PPL?
Is this only possible, because you actually created it yourself and EDR-Freeze is the parent process?
Otherwise you should not be able to even suspend werfaultsecure.exe as the kernel should deny it?

[TwoSevenOneT]

As I analyzed in the article, you can call the OpenProcess function with the PROCESS_SUSPEND_RESUME privilege on PPL processes.