No URL for you ...



  • Today I learned .... elevated processes cannot receive URL open requests. Apparently receiving a URL open request is dangerous!

    If you run Process Explorer (v15.40) elevated, and use the Restart command to restart a program, it mistakenly starts it elevated rather that verifying whether it was elevated originally, which is a bit dangerous.

    I was trying to figure out why after restarting Firefox, I could no longer follow any links in Thunderbird -- nothing would happen. It was only after I noticed that mouse gestures using StrokeIt were no longer being accepted, that I realised what had happened.



  • I'm not a Windows expert, but I think that's because thunderbird was not elevated. It doesn't make sense for a non-elevated process to manipulate an elevated one.



  • I believe the rule is that elevated processes and standard processes cannot talk to each other, and elevated processes are not allowed to talk to each other really either.  The exception is if the elevated application is defined as UIAccess in which case it can talk to other processes and be talked to by other processes, but it needs to be in a trusted location (Program Files or SystemRoot).



  • @Kyanar said:

    The exception is if the elevated application is defined as UIAccess in which case it can talk to other processes and be talked to by other processes, but it needs to be in a trusted location (Program Files or SystemRoot).
    UIAccess actually allows a non-elevated process to send window messages to elevated processes (the requirements are UIAccess="true" in manifest, signed binary with 2048-bit key, and running from trusted location).



  • I guess the level of paranoia within my own desktop surprised me. I need to check at some point if TRWTF of Process Explorer incorrectly elevating processes is resolved, as that's just bad.


  • Considered Harmful

    @Daniel Beardsmore said:

    I guess the level of paranoia within my own desktop surprised me. I need to check at some point if TRWTF of Process Explorer incorrectly elevating processes is resolved, as that's just bad.

    It's not as easy as you might expect.



  • @Daniel Beardsmore said:

    I guess the level of paranoia within my own desktop surprised me.
    It's entirely appropriate. You should google about "Shatter attacks" if you haven't heard of them before.



  • @joe.edwards said:

    It's not as easy as you might expect.

    On the other hand, Process Explorer does know every last detail of the program in question, as it's restarting it, not starting it. With installers, I do tend to ignore the "Run the program you just installed" checkbox at the end of the wizard, due to how often it will use the incorrect privileges.

    @DaveK said:

    It's entirely appropriate. You should google about "Shatter attacks" if you haven't heard of them before.

    Is that more due to the legacy of the way processes interact in Windows? For example, I am not aware that Apple Events ever involve passing addresses and callbacks to each other. Instead, processes communicate with abstract data using wholly virtual classes. Windows IPC is weird. Of course, since URLs are often passed through DDE, and DDE comprises window messages, I can see where that would fall short.

    Maybe I am just nuts (not that this was ever in question) but I always loved the Macintosh IPC model. Structured, clean and suitably abstract, scriptable, and (in a rather weird way) recordable.


Log in to reply