共用方式為


Q: Why Doesn’t Drag-and-Drop work when my Application is Running Elevated? – A: Mandatory Integrity Control and UIPI

If you run notepad elevated (Right click | Run as Administrator), and you try and drag-and-drop a file from Windows Explorer, nothing happens. It looks like it is going to work because the pointer icon changes but the file doesn’t open. Weird, huh?

 

What’s Going On?

 

In the traditional NT Security model (prior to Vista), all processes on the same desktop ran with the same security token and had all the same privileges.  UAC changed this by allowing processes with different privilege levels on the same desktop.

 

Lower Privilege Processes Can’t Interfere with Higher Privilege Processes

 

In order to prevent potential elevation of privilege attacks, certain functionality needs to be blocked.  This is implemented through Mandatory Integrity Control (MIC).  All processes and all resources (files, registry, etc.) have an integrity level assigned. MIC prevents a standard user process from writing to a protected per machine location like Program Files or the HKLM registry hive. I won’t go too deep into MIC in this post but the following is a great resource if you want more info: Inside Windows Vista User Account Control.

 

User Interface Privilege Isolation (UIPI)

 

Okay, back to our drag and drop issue… A “sister” technology that works in conjunction with MIC is UIPI.  UIPI blocks Windows messages being sent from process with a lower MIC level to one running at a higher MIC level. Drag-and-drop is implemented via Windows messages.  Therefore, if you try and drag-and-drop a file from Windows Explorer (medium MIC) to Notepad running elevated (high MIC), the Windows messages are blocked and drag-and-drop doesn’t work.

 

You can use ChangeWindowsMessageFilterEx in your application to allow specified Windows messages to not be blocked. Unfortunately, this isn’t recommended as a safe solution for drag and drop due to the messages that drag and drop uses.

 

Okay. Now What?

 

The best solution is to only use drag and drop between the same MIC levels. With UAC enabled, Windows Explorer will run at a medium MIC level.  Therefore, your application (Notepad in our example) needs to run at medium (or lower) MIC level.  The bottom line is that drag and drop from Windows Explorer will not work if your application is elevated.  If you find yourself in this situation, you may need to rethink your application design or not support drag-and-drop with UAC enabled.

Comments

  • Anonymous
    October 10, 2015
    Why would it be bad to move from less privelages to more?

  • Anonymous
    February 07, 2016
    The comment has been removed

  • Anonymous
    February 22, 2016
    Now this is downright a brain dead solution to a security problem. Why not just forbid using a GUI at all? I have a log viewing application and the most fast, handy and user friendly way to use it is by drag and drop. If the files are so unsecure, then opening them via a file dialog should also be blocked.

  • Anonymous
    February 23, 2016
    Hi Lurker and Seriously?!, The need for UIPI is to prevent shatter attacks (See en.wikipedia.org/.../Shatter_attack). Pat

  • Anonymous
    February 28, 2016
    I didn't know about that one so thanks for sharing. But still, why block the messages that are designed and intended for interprocess communication? It indeed makes no sense to allow every possible message to be sent, but it also makes no sense to block messages that are meant to be shared (like drag-drop). It's like having a web browser that doesn't allow you to click on URLs to go to another site (which also was a Microsoft recomendation at some point). It's kind of mystifying that when logging in as Administrator, one cannot drag-drop files, but if logging in as a restricted user, it's allowed.

  • Anonymous
    February 29, 2016
    The comment has been removed

  • Anonymous
    November 19, 2016
    The comment has been removed

    • Anonymous
      November 21, 2016
      Hi DanoR,Drag and drop functionality will work as expected if applications run at the same integrity level when UAC is enabled. Because drag and drop uses Windows messages to communicate, you can't accept potentially untrusted data from a lower integrity process. Pat
  • Anonymous
    January 10, 2017
    I just got bit by this hard. Lost too much time tonight, trying to figure out where I was going wrong with my code. Okay, so this is a necessary security "feature". Cool. But perhaps then the system should notify the user as to why they can't perform this drag and drop, instead of letting us spin our wheels...

    • Anonymous
      January 10, 2017
      Hi tbarela,Good point. The best place to submit developer product feedback is UserVoice. https://wpdev.uservoice.com/Thanks,Pat
      • Anonymous
        July 06, 2017
        Wow some people really upset to see the OS enforce security! lol
  • Anonymous
    September 20, 2018
    An interesting, alternative way to solve the UIPI "issue" is to let the program check its integrity level and restart itself at medium level. Works great without loosing the elevation state otherwise.