-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Quality: Disable drag & drop when running as admin #15795
Conversation
Can you cache the result? |
For #13394 |
Yeah do you think would it be better in WindowContext? |
I would keep the code in the service, but we can cache it in the context. |
This comment was marked as resolved.
This comment was marked as resolved.
I would prefer to do the same as Terminal. |
FYI @ahmed605 |
this order is kinda wrong, AC has higher IL than Untrusted, and it's actually Low IL but with lower TrustLevel than usual Low IL apps, and there's also LPAC (Less Privileged AppContainer) which is almost on the same level as Untrusted but a little bit higher, it's used by Chromium, Firefox, and Microsoft Edge Legacy |
I was really uncertain in that point. I was even not sure this is IL. But a docs i referred (not official) wrote as AppContainer < Untrusted. Thank you for the correction. What about that function above to workaround this blocking? |
I'm a bit worried about the security concerns, you can still inject through only the HWNDs btw |
I see, thank you for letting me know it. |
ff65c93
to
8097ba8
Compare
Is this ready for review? |
Do we need to adjust the text in the "running as admin" prompt? |
3c9fb67
to
8894dff
Compare
All good. |
2e4f94d
to
98eb6b4
Compare
8894dff
to
05edd0b
Compare
@0x5bfa I rebased the branch from |
Yes, Fixed by squashing all |
05edd0b
to
3ec9b39
Compare
81d1ee9
to
e9d7fe6
Compare
Summary
The service 'IWindowsSecurityService' gets the current process's token and checks if the token belongs to Administrators group.
IWindowsSecurityService
WindowContext
Resolved / Related Issues
Steps used to test these changes
Open details that I learnt
Why drag and drop doesn’t work?
This is because of UIPI (User Interface Privilege Isolation) using MIC (Mandatory Integrity Control), which blocks a process that has lower IL (integrity level) from interacting with a process that has higher IL. This was introduced in Vista with UAC introduction.
It is not caused by UIPI, btw, that UWP cannot access system resource and user data without user’s consent (it’s by AppContainer itself).
IL get higher from top to bottom
Untrusted
(Chrome, IE)AppContainer/LowBox
(UWP)Low
Medium
(default)Medium Plus
High/Elevated
(elevated)System
(system services)Protected Process
Installer
(Windows)UAC settings
Behavior
by a process
by user
Registry values to be modified
BehaviorAdmin
BehaviorUser
SecureDesktop
Disabling UAC
When you disabled UAC through UAC Settings dialog (UIPI will be disabled as well), the UAC prompt won’t be shown.
However, it seems that DataExchangeHost.exe doesn’t accept dropping onto a window of a process that has higher IL (Windows OS Bug?) even though UAC is disabled. A contributor of Windows Terminal made a workaround for it.
Also, I should denote that we might be able to use DragQueryFile to workaround UIPI, while I’m still not sure.
How UAC works (if it helps)?
On startup, the kernel executes explorer.exe with a token below:
Standard User (not in Administrators group)
Administrator User (in Administrators group)
BUILTIN/Administrator (the real administrator)
I've been described so far, for when user hasn't changed anything through Windows Registry or Group Policy. Some behavior can be changed otherwise.