A service prevents attacks carried out through container escape for silo-based containers. A callback is registered for a function(s) that may be invoked from inside a container and returns an object handle(s). The callback, when triggered by invocation of the function(s), executes for determination of whether requests for access to objects via their handles are issued by suspicious processes. Access to CExecSvc.exe is restricted for processes that request a handle for CExecSvc.exe and are determined to be associated with a container themselves. Processes that escape their container through a technique that evades detection are also blocked from accessing the host system. When a process requests access to an object via invocation of a function that returns a handle, the callback executes for determination of whether the process but not the requested object is associated with a container, in which case the service restricts the process' access to the host system.