USER & GDI Compat, part 4 -- Cross-process and security

As an added layer of defense against malicious software, Windows Vista introduces allows different UI applications to run with three different levels of UI privilege.  Applications can freely interact with other applications of the same and lower permission, but can’t modify or talk to applications of higher permission.  Most applications will run with the middle permission, while applications that require administrator privileges run in a higher mode, and restricted processes such as low rights Internet Explorer use the lowest privilege mode. 

More specifically, applications in lower privilege modes cannot generally send messages to higher privileged applications unless the higher privileged application explicitly allows that message by calling ChangeWindowMessageFilter().  (In the February CTP, RegisterWindowMessage messages were assumed to be allowed between different privilege levels, we’re fixing that in subsequent builds)  Similarly, lower privileged applications can read but cannot modify HWNDs owned by higher privileged applications.  For compatibility reasons, SendMessage and other APIs will return success even if the API was blocked because of privilege issues.  Similarly, where compatibility impact is high and security risk is low we sometimes allow low-privileged applications to send unsolicited messages to high privileged applications.

Things to pay attention to when testing:

  • Applications that interact with other applications -- utilities that reposition windows, type keystrokes for you, add extra buttons to windows, etc.
  • Cut and paste between different applications -- does it work at all, and does it support all the different clipboard formats you expect (rich text, HTML, etc.)?
  • Help -- Does help launch?  We've made security changes to winhelp.exe and the WinHelp API, see https://msdn.microsoft.com/library/en-us/dnlong/html/AppComp.asp for details.
    Internet Explorer plug-ins -- Internet Explorer runs in low rights mode, so plug-ins, ActiveX controls, and document objects that talk to other processes may not work.  We recommend testing all plug-ins, ActiveX controls, and document objects, see https://msdn.microsoft.com/library/en-us/dnlong/html/AppComp.asp for details.
  • Journaling hooks – WH_JOURNALPLAYBACK and WH_JOURNALRECORD are inherently cross-process, so require the highest privilege level.
  • SendKeys in Windows Forms and Visual Basic 6.0 and earlier – As implemented today, these functions rely on journaling hooks, so don’t work if the application is not run with the highest privilege level.  We’re currently investigating options here.

Also, for programs you have the source code to, consider reviewing any code that uses the following APIs, as they often indicate cross-process stuff:

  • SendInput
  • RegisterWindowMessage
  • BroadcastSystemMessageEx
  • BroadcastSystemMessage
  • SetWindowsHook
  • SetWindowsHookEx
  • CallNextHookEx
  • CallNextHook
  • SetWinEventHook
  • AttachThreadInput
  • FindWindowEx
  • FindWindow
  • CreateDesktop
  • CreateDesktopEx
  • OpenDesktop
  • OpenInputDesktop
  • EnumDesktops
  • EnumDesktopWindows
  • SwitchDesktop
  • SetThreadDesktop
  • GetThreadDesktop
  • CloseDesktop
  • CreateWindowStation
  • OpenWindowStation
  • EnumWindowStations
  • CloseWindowStation
  • GetProcessWindowStation

That’s not an exhaustive list, nor is it a guarantee of anything that needs to change, but it’s a good balance of finding issues vs. minimizing false positives.  You can search source files with

findstr /s /g:temp.txt *.c *.cpp *.h *.hpp

where temp.txt is the above list of APIs copied to a text file.

Comments

  • Anonymous
    April 14, 2006
    Do .chm files continue working or do they require optional download before they work at all? I thought I read some help stuff requiring separate download somewhere.
  • Anonymous
    April 17, 2006
    If ::SetWindowsHookEx(WH_MOUSE, ...) is blocked then how can an application capture the mouse.
    Scenario: A user presses a mouse button down over the application's window then drags the mouse outside the window area before releasing the button. How does the app get the mouse up message?
  • Anonymous
    April 17, 2006
    ::SetCapture(hwnd) still works as a way to capture the mouse.
  • Anonymous
    April 19, 2006
    Joku -- .chm files (HTML help) continue to work in Windows Vista.  WinHelp applies to .hlp files.  Thanks.
  • Anonymous
    April 24, 2006
    This content will make it into the master compatibility document in the next month or so, but in the...
  • Anonymous
    May 08, 2006
    The comment has been removed
  • Anonymous
    May 17, 2006
    Will SetWindowsHook/Ex require administrator priviledges? If so, will there be an alternate means to know when the user is active (even outside your application) without getting specific details of keypresses / mouse movements?