locked
UIAccess attribute in the manifest and integrity level RRS feed

  • Question

  • Hello

     

    We have a singletone host(ourhost.exe) running with medium integrity access level, which provides several COM interfaces to the clients. Ourhost.exe installs systemwide hooks. So we need these hooks to handle all the applications, running with low, medium and high integrity levels. We need to communicate, using Windows messaging mechanism,  with the parts of these hooks, injected into the applicaitons.

     

    We have service applications, which invoke COM methods, provided with ourhost.exe(singleton as you remember). Service applications running with medium integrity level by default. Ourhost.exe is not running, when windows start. Instead, it is started by the first service tool and is shutdowned if there is no more service tools are connected.

     

    Since ourhost.exe has medium integrity level, I've added to the manifest of ourhost.exe UIAccess="true" along with level="AsInvoker" to allow hooks to be injected to the high integrity process. The part of the manifest resides below.

        <trustInfo xmlns="urnTongue Tiedchemas-microsoft-com:asm.v3">
        <security>
          <requestedPrivileges>
            <requestedExecutionLevel level="asInvoker" uiAccess="true" />
          </requestedPrivileges>
        </security>
      </trustInfo>

    Also I've signed the ourhost.exe.

     

    Currently I have the following situation:

    1. Service apps are failed to start ourhost.exe. CreateInstance returns the requested operation requires elevation. I suppose because of the fact, that applications with uiAccess="true" have medium plus 0x10 integrity level. So medium integrity levela applicaitons are unable to communicate with them;

    2. But if I manually run ourhost.exe from explorer.exe[medium integrity] then ourhost.exe will run with high integrity(as it is showed in Process Explorer). A service app will successfully connect to the appropriate COM inteface of the ourhost.exe;

     

    Can someone give me an idea how to get all these things working all together?

     

    Setting LaunchPermission and AccessPermission with security descriptor  L"O:BAG:BADSadA;;0xb;;;WD)SSadML;;NX;;;LW)" doesn't help.

     

    Thanks in advance,

    Anton

    Friday, February 29, 2008 12:44 PM