Compartilhar via


What is User Interface Privilege Isolation (UIPI) on Vista

What is User Interface Privilege Isolation (UIPI)

This is also known as UI Privilege Level Isolation (UIPI).
As part of the secure initiatuve in Vista, applications with UI will run in three different levels of privilege. Application windows can interact with others windows of the same or lower levels, but cannot interact with applications at higher level/permission.
Lower privilege modes can send messages to higher privileged applications only if explicitly allowed by the higher privilege application with a message calling ChangeWindowMessageFilter(). Also lower privileged applications can only read a HWND owned by a higher privileged application.
Internet Explorer is an example process that runs at the lowest privilege level.

Reference Links:
https://msdn2.microsoft.com/en-us/library/ms632675.aspx
https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the following behavior.

A lower privilege process cannot:

- Perform a window handle validation of higher process privilege.
- SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
- Use thread hooks to attach to a higher privilege process.
- Use Journal hooks to monitor a higher privilege process.
- Perform dynamic link library (DLL)–injection to a higher privilege process.

With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels.

- Desktop window, which actually owns the screen surface
- Desktop heap read-only shared memory
- Global atom table
- Clipboard

Comments

  • Anonymous
    January 26, 2007
    Os dejo un par de enlaces para que conozcais a estos dos amigos que nos ayudaran a mantener la seguridad

  • Anonymous
    January 04, 2012
    What do you NOT want to be allowed to do today?

  • Anonymous
    November 13, 2014
    You can have a look at msdn.microsoft.com/.../bb625963.aspx

  • Anonymous
    December 16, 2015
    uitotygkg hkjnkghhtrhdhwheyjegruukgkt  uipi  uipi