Security Considerations for Assistive Technologies
Assistive technologies are applications that run on the Windows desktop and help accessibility users to interact with the operating system and other applications running on the computer, including applications in the new Windows UI. Assistive technology applications work by retrieving information from the operating system and other applications, and then presenting the information in a way that is accessible to the user. An assistive technology application can also programmatically "drive" the operating system and other applications based on input from the user.
The nature of assistive technology applications requires that they cross process boundaries, and that they have access to processes that run at a higher integrity level (IL) than themselves. (An assistive technology application runs at medium IL.) For example, when the user attempts to perform a task that requires administrative privileges, Windows presents a dialog box asking the user for consent to continue. This dialog box runs at a higher IL to protect it from cross-process communication, so that malicious software cannot simulate user input. Similarly, the desktop logon screen runs at a higher IL to prevent it from being accessed by other processes.
Assistive technology applications typically need access to the protected system UI elements, or to other processes that might be running at a higher privilege level. Therefore, assistive technology applications must be trusted by the system, and must run with special privileges.
To get access to higher IL processes, an assistive technology application must set the UIAccess flag in the application's manifest.
In addition to having access to higher IL processes, an assistive technology application with UIAccess can run as the topmost application in the z-order at any time, meaning that an assistive technology application can be visible and available whenever the user needs it.
This topic provides guidelines for using UIAccess. It includes the following sections.
- UIAccess Requirements for Assistive Technology Applications
- Setting UIAccess in the Application Manifest File
- Related topics
An assistive technology application is a Windows desktop application that interacts with other processes running on the desktop and in the new Windows UI to get information from the system and applications. The assistive technology application can then provide the information to accessibility users.
An assistive technology application gets access to other processes by setting the UIAccess flag in the application manifest. To use the UIAccess flag, an assistive technology application must meet the following requirements.
- Require to display, interact with, or reflect information from another application to provide information for an accessibility scenario, and/or
- Require running as the top-most window to obtain or display this information.
To use UIAccess, an assistive technology application needs to:
- Be signed with a certificate to interact with applications running at a higher privilege level.
- Be trusted by the system and run with administrative privileges. The application must be installed in a secure location that requires a user account control (UAC) prompt to write to (for example, the Program Files folder).
- Be built with a manifest file that includes the UIAccess flag.
UIAccess should not be used:
- By applications that are not assistive technologies.
- By assistive technology applications that display information or UI that is not relevant to the accessibility scenario they target.
- By applications that just want to appear above other applications in the new Windows UI.
Note Applications developed for the new Windows UI do not have UIAccess as an available option.
To gain access to the protected system UI, applications must be built with a manifest file that includes a special attribute in the manifest file. This uiAccess attribute is included in the requestedExecutionLevel tag, as shown in the following code example.
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="highestAvailable" UIAccess="true" /> </requestedPrivileges> </security> </trustInfo>
The value of the level attribute in this code is an example only.
UIAccess is "false" by default. If the attribute is omitted, or if there is no manifest, the application cannot gain access to the protected UI.
For more information on Windows security, on signing applications, and on creating manifests, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC) on MSDN.