Event 1042 - UIPI Cross Process Window Message

  • Article
  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

User Interface Privilege Isolation (UIPI) prevents application processes running with lower privileges from using Windows messages to send information to a higher privilege process. For example, if you are running as a Limited User, Windows Internet Explorer 8 and Windows Internet Explorer 7 prevent websites from sending messages to the Microsoft Management Console (MMC) or an Administrative Control Panel (CPL). Without this prevention, application processes can inject hostile information without requiring user interaction.

What Is It?

UIPI blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes. This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.

A shatter attack is a programming technique employed in malicious software that can be used to bypass security restrictions between processes in a session.

When Is This Event Logged?

This event is logged when an application process running with lower privileges attempts to use Windows messages to send information to a higher privilege process.

Example

It's beyond the scope of this document to provide a complete example that logs this particular event. However, the following procedure is an outline of what's involved in making Windows Internet Explorer log the UIPI Cross Process Window Message event.

  1. Create a new document using Microsoft Word, and add some placeholder text.

  2. Save the document in the root directory of the local Web server as an Rich Text Format (RTF) file. For example call it test.rtf. On a Microsoft Internet Information Services (IIS) server this means putting the files in this directory:

    .\wwwroot

  3. Internet Explorer needs to have Protected Mode enabled. Select the Tools > Internet Options menu item. Select the Security tab. Select the Local intranet zone and ensure Enable Protected Mode is checked. Now click OK.

  4. Create a shim that will attempt to post a cross-process window message when accessing the RTF file. Call the shim IEUIPILogging.sdb.

  5. Install the shim at an elevated Command Prompt by using sdbinst IEUIPILogging.sdb.

  6. Browse to the file:

    https://localhost/test.rtf

This will cause UIPI Cross Process Window Message event to occur.

Remediation

There is no workaround. The solution is to modify your extension so that it operates within the protected mode integrity checks. For guidance on writing extensions that are compatible with Internet Explorer protected mode in Windows Vista, see the article Understanding and Working in Protected Mode Internet Explorer on MSDN.

Internet Explorer Application Compatibility

Events 1040 through 1049