FYI be careful when cutting and pasting from word into the forum under plain text mode as it may include sensitive data about your machine. (Caught myself once, switch to plain text view before saving to make sure meta-data isnt copied over)
Good that you got it working and it seemed to be event type related.
My comment above is for strictly controlled processes sent to "relaxed" settings. But let’s dig into how the pset mapping logic works and hopefully I may be able to correct myself.
For this discussion let’s focus on the Unix PBR (process binding rule).
PBR as a top level explanation is the hierarchical rule set which when any process is spawned the IPS driver runs down the PBR “tree” to find an appropriate Process set (PS) which includes PSET Map macros (jump points). PS's have a binded BCD (behavior control description) that controls the behavior of the process. So the PBR is an inheritance based rule logic where if specific circumstance exist for the process (i.e. a psetmap matches the process path, or user some defined option is check) then the associated BCD is applied.
Since we are looking at a top-down view of the PBR there are specific macros in each process set that control each individual process set. For example under each *_ps in the PBR there is usually a set "grouped" of psetmap Macros. Think of psetmap macros as the "extra" sifting the process set (PS) performs before actually assigning the process to the *_PS container.
Such as this:
The above example performs the following:
1. Pset map checks if the process is set to fullpriv (therefore its defenitly in the fullpriv_ps)
2. pset map checks to see if the process is in the profile list (profile_ps) indicated by the administrator via and console option parameter values
3->* runs through other various checks to see if it actually belongs somewhere else in the tree (such as in a template policy, strictly controlled login daemons PS, etc... = otherwise known as "jump points')
So in this example if you have purposesly sent a process to full priv (manually) than the profiler may have issues picking up the process.
After reviewing the rest of the tree. Only processes manually sent to a specific area - daemon full priv, will affect the profiling of the process because it is picked up in the PBR tree first (even in daemon_safepriv_ps the psetmacro is daemon_FULLPRIV first THEN profile_ps).
As you can see above after the PBR runs down the tree it eventually comes to profile_ps, which would be the catchall for the processes entering the profiler.
So to correct myself if the daemon (process) is in daemon_fullpriv, then the profiler will have issues. Any other process should profile as designed.
Hope this helps and isn't to techical. Let me know if you would like me to run down the Windows PBR.