UI Automation Security Overview
This topic describes the security model for Microsoft UI Automation. It contains the following sections.
Among the security innovations introduced in Windows Vista is the ability for users to run as standard (non-administrator) users without being blocked from running applications and services that require higher privileges.
Most applications are supplied with a standard token or an administrative token. If an application cannot be identified as an administrative application, it is launched as a standard application by default. Before an application identified as an administrative application can be launched, Windows prompts the user for consent to run the application as elevated. The consent prompt is displayed by default, even if the user is a member of the local Administrators group, because administrators run as standard users until an application or system component that requires administrative credentials requests permission to run.
When a user attempts to perform a task that requires administrative privileges, Windows presents a dialog box asking the user for consent to continue. This dialog box is protected from cross-process communication, so that malicious software cannot simulate user input. Similarly, the desktop logon screen cannot typically be accessed by other processes.
UI Automation clients must communicate with other processes, some of them perhaps running at a higher privilege level. Clients also might need access to the system dialog boxes that are not typically visible to other processes. Therefore, UI Automation clients must be trusted by the system, and must run with special privileges.
To be trusted to communicate with applications running at a higher privilege level, applications must be digitally signed.
To gain access to the protected system user interface (UI), applications must be built with a manifest file that includes a special attribute in the manifest file. This uiAccess attribute is included in the requestedExecutionLevel tag, as shown in the following code example.
<trustInfo xmlns="urn:0073chemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="highestAvailable" UIAccess="true" /> </requestedPrivileges> </security> </trustInfo>
The value of the level attribute in this code is an example only.
UIAccess is "false" by default. If the attribute is omitted, or if there is no manifest, the application cannot gain access to the protected UI.
For more information on Windows security, on signing applications, and on creating manifests, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC) on MSDN.