User Interface Privilege Isolation - Native

Hands-On Lab

User Interface Privilege Isolation - Native

Lab version:1.0.0

Last updated:11/2/2018

Contents

Overview

Exercise 1: Identifying UIPI

Task 1– Make Sure UAC is Active

Task 2 – Identify the Problem

Exercise 2: Solving UIPI Issues

Task 1 – Explore the Ping Pong Sample

Task 2 – Fix the Code

Summary

Overview

Objectives

In this lab, you will learn how to:

  • Identify a User Interface Privilege Isolation (UIPI) issue
  • Fix UIPI issue

System Requirements

You must have the following items to complete this lab:

  • Microsoft Visual Studio® 2008 SP1
  • Microsoft Windows® 7
  • Process Explorer from Windows Sysinternals (

Exercise 1: Identifying UIPI

In this exercise you will investigate two processes that communicate via windows messages, but where communication fails (at least in one direction) due to unequal integrity levels.

Task 1– Make Sure UAC is Active

In this task, you will confirm that User Account Control (UAC) is active. This will allow the problem to occur.

  1. From Start:
  2. Click Control Panel,
  3. Click User Accounts and Family Safety.
  4. Click User Accounts.
  5. Click Change User Account Control Settings. A dialog box similar to the following should appear:

Help

Alternatively, click Start, click Run, and type UAC. Then click Change User Account Control Settings.

  1. Make sure the slider is set at the default level as pictured(you can set it to another level, but not to Never notify, as this disables UAC).
  2. Click OK.

Task 2 – Identify the Problem

  1. Navigate to the PingPongBroken\Debug folder.
  2. Double-click BrokenNativePingPong.exefile. A blank window should appear.
  3. Double-click BrokenNativePingPong.exe file again. You should see a message, “Ping Pong,” bouncing between two similar windows:

Help

This is the correct behavior. Both processes run with standard user privileges with the same integrity level. To verify this follow the next steps.

  1. Open Process Explorer from Windows Sysinternals. (You can install Process Explorer from
  2. Right-click the process view header.
  3. Click Select Columns as shown in the following image.

  1. Make sure the Integrity Level check box is selected, or else you will not see and have hard time completing this lab.
  2. Click OK to confirm your selection.

  1. Navigate to the BrokenNativePingPong.Exe processes and look at the integrity level

Help

It should be medium. This is the default integrity level of processes started with standard user privileges.

  1. Close both Ping Pong windows
  2. Double-click BrokenNativePingPong.Exe to run the first instance as before.
  3. For the second instance, Right-click it
  4. Click Run as administrator
  5. Satisfy the UAC prompt presented (alternatively, just double-click NativePingPongLoader.Exe and it will do both things automatically)

Watch Out

You’ll find that the message, “Ping Pong,” no longer works.

  1. Open Process Explorer as before and look at the integrity levels:

Help

Running as administrator, the process is running with a high integrity level instead of normal integrity level. This is the cause of the problem. A process cannot send or post windows messages to another process with a higher integrity level.

  1. Close both Ping Pong windows

Exercise 2: Solving UIPI Issues

Task 1 – Explore the Ping Pong Sample

In this task, you will investigate the Visual Studio solution to understand what the code does.

  1. Double-click the PingPongBroken solution

Help

Visual Studio 2008 should start and load the solution. The solution contains four projects: two native and two managed. Each pair is the Ping Pong application itself and a convenient loader that starts one process with standard user privileges and the other with administrator privileges.

  1. Open the PingPong.cpp file
    The PingPongDlgProc function is the modal dialog procedure handling the bulk of the work. To coordinate properly, the RegisterWindowsMessage function is used to obtain a global (technically, globally to the process’ Windows Station) message id for inter-process communication. The resulting message, uMsgBall, is the one posted between windows of the two running processes.
  2. The WinMain function searches for another instance of the same executable by looking for the existence of another window with the same caption (using the FindWindow function)
  3. A timer is used to wait 500 msec in between message passing

Task 2 – Fix the Code

The PostMessage function used for message passing fails if its intended message is to a window belonging to a process with a higher privilege level. However, we can use a message filter to let some messages through:

  1. After the message registers in the WM_INITDIALOG handler, use the ChangeWindowFilter function to let the registered message pass through, regardless of privilege levels.
  2. Add a call to that function with the MSGFLT_ADD flag to add the message to the filter. The code should look like the following:

C++

uMsgBall = RegisterWindowMessage(sMessageBall);

if(!uMsgBall) return FALSE;

// allow our message to come in even if sent by lower privilege

// process

ChangeWindowMessageFilter(uMsgBall, MSGFLT_ADD);

  1. Build the project and test it with NativePingPongLoader.Exe.
    It should work as expected. The complete solution is in the PingPongFixed folder.

Summary

In this lab, you learned how to diagnose UIPI issues using Process Explorer, and how to allow messages to filter to applications with higher privilege levels.

For more information, please refer to:

  • Application Compatibility Cookbook:
  • The Windows Vista® and Windows Server® 2008 Developer Story:
  • Edgar Barbosa: Windows Vista UIPI:

1