In Windows Vista, I am unable to drag/drop files onto my application's window because it is running as a high integrity level process. I need to run it as high, but I also need to be able to accept dropped files from low/medium integrity level processes like Windows Explorer. I believe it is UIPI that is blocking the drag/drop operation. I know that I can use the ChangeWindowMessageFilter function to allow certain Windows messages to bypass UIPI, but I'm not sure which messages to add to allow the drag/drop operation. Is ChangeWindowMessageFilter the right approach to permit this, or is there a better way? Thanks!
views:
462answers:
1
A:
Considering the title of this blog entry:
"Why you shouldn’t touch ChangeWindowMessageFilter with a 10-ft pole…",
I guess it is not the best approach ;)
Now, this might seem like a great approach at first - after all, you’ll only use
ChangeWindowMessageFilterwhen you’re sure you can completely validate a received message even if it is from an untrusted source, such that there’s no way something could go wrong, right?Well, the problem is that even if you do this, you are often opening your program up to attack unintentionally.
Consider for a moment how custom window messages are typically used; virtually all the common controls in existence have “dangerous” messages in the custom class message range (e.g. WM_USER and friends).Additionally, many programs and third party libraries confuse
WM_USERandWM_APP, such that you may have programs communicating cross process via bothWM_USERandWM_APP, via “dangerous” messages that are used to make sensitive decisions or include pointer parameters.
In the comments of this blog entry, an alternative approach was discussed, but with pretty much the same conclusion:
I would use
RegisterWindowMessageand then allow that viaChangeWindowMessageFilter.
However, be aware that you cannot design a cross-process window message interface that passes pointers or other untrusted values or you are creating a security hole.For this reason, I would tend to avoid using window at all messages for most cross-process IPC (if possible), as it is typically very difficult to do non-trivial things in a secure fashion using them.
Note: this entry "So, who wants to design a feature today?" illustrates the same problem, and points to the insightful articles of Raymond Chen:
- Why aren't console windows themed on Windows XP?
- Windows Vista has more extended options on the context menu
which both detail the issue.
This ServerFault question "Why can’t I drag/drop a file for editing in notepad in Windows Server 2008?" also includes some answers, but no quick-win.
See also this article on IE
VonC
2009-07-23 12:56:49
I'm aware of the dangers of opening my application up using this method, and as such I'm not passing any pointer structures around. I really need the drag/drop functionality to work, and Vista's "security" is really starting to annoy me.
Jon Tackabury
2009-07-23 13:08:34
I understand: note you may find some other suggestions at this question: http://serverfault.com/questions/39600/why-cant-i-drag-drop-a-file-for-editing-in-notepad-in-windows-server-2008 (including disabling the UIPI (User Interface Privilege Isolation))
VonC
2009-07-23 13:13:37
Unfortunately I can't ask the users of my application to disable UIPI. I understand the reasoning behind blocking the drag/drop operation between priority levels, but it really makes app development unnecessarily complicated. :(
Jon Tackabury
2009-07-23 13:20:01