Gammy Knee

Along with a lot of other people, I've noticed that attempts to set the journalling hooks (WH_JOURNALPLAYBACK, WH_JOURNALRECORD) get knocked back with access denied on CTP 5270.

Is this down to the new Vista security policies


Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

I'm having the same issue and posted a message here:
http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=201352&SiteID=1&mode=1

I posted that three months ago and as yet there has been no useful reply.











Re: Security for Applications in Windows Vista Journaling hooks on Vista?

Gammy Knee

Well, it's the same in the Feb CTP, 5308 - which is supposedly feature complete.

Please can someone from MS tell us definitively whether we have to start recoding our software if it uses JournalRecordProc




Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

Yes, will someone, PLEASE, respond. Does anyone from Microsoft actually read these forums!







Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

I think I might have found the reason and potential solution:

http://msdn.microsoft.com/windowsvista/default.aspx pull=/library/en-us/dnlong/html/AccProtVista.asp

A lower privilege process cannot:

  • Perform a window handle validation of higher process privilege.
  • SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
  • Use thread hooks to attach to a higher privilege process.
  • Use Journal hooks to monitor a higher privilege process.
Having read this article I think I understand it that all processes run as lower privilege processes unless otherwise instructed via the new requestedExecutionLevel element of the manifest file.

So to solve this issue it would appear the user will have to be an administrator and you would need to include the new manifest instruction.

Haven't tried it yet, but will report back when I have.

If this is the only solution it is a bit of a nightmare as it means users must be admins to run the software! I hope someone at Microsoft does eventually take the time to read this thread (it would appear Microsoft ignore this forum) and considers allowing journal hooks in regular processes otherwise a whole host of existing applications are no longer going to work!







Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

Hi,

Well, I followed the instructions in that article to the letter. No luck. It actually gets worse.

I am logged in as an administrator. I modified my EXE with PE Resource Explorer and changed the manifest resource to include the security attributes as in the example. I checked that I didn't mess up by running it in XP and it ran fine. When I run it in Vista I now get "Access Denied" on the command line! I then changed the manifest resource completely by replacing the entire resource entry with the whole sample from the article. Same thing - "Access Denied".

M :-(





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

Update - changed the manifest slightly. This time no "access denied" error and the exe started, but the original problem persists. :-(





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

I have now tried a few more things:

1. run secpol.msc and go into Local Policies/Security Options and modify User Account Control to disable running as normal users.

No joy.

2. Simple one - Right Click on the exe and select Run As Administrator. You get the warning asking you to permit it to run.

No joy.

3. Make the exe run in Win XP SP2 compatibility mode (right click on shortcut).

No joy.








Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MJTNET

Getting there! Step 1 above does work, but requires a reboot after.

Run secpol.msc - Local Policies/Security Options and modify User Account Control to disable running as standard users (so if you are logged in as admin apps will now always run as admin). Reboot. The journal hook now works!

This is clearly not an ideal solution, of course, as this requires users to make a system wide security change that flies in the face of the new UAC system. It should be possible to use a manifest resource to tell the system that the app needs to run as admin and then you don't need to disable running as standard user in - the system will prompt (if prompting enabled in UAC) and then run the app as admin. But so far I haven't been able to make that work. For now, disabling run as standard user can only be seen as a workaround.

M/





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

timbador

Step 1. does work! ...and now Visual Test Automation is running. Hooray! A 1000 Thanks MJTNET. whew!!!!!



Re: Security for Applications in Windows Vista Journaling hooks on Vista?

THoffman

MJTNET wrote:
Update - changed the manifest slightly. This time no "access denied" error and the exe started, but the original problem persists. :-(
I disabled the security setting as well to get it to work, but wasn't happy with that. I asked a few questions, and got an answer. I then found this article which explains how to do it as well, though I only found it because I knew the solution ahead of time.
Basically, you need to not only include requireAdministrator, but change uiAccess to True, not false as in the original sample. The sample on the link I just sent sets the requested level to "highestAvailable" and usAccess to True. I tried mine with "requireAdministrator," since I tried it before I found that document, and that seems to work, though I haven't fully tested it yet.
Once you embed the manifest in the EXE, you have to sign the code, which isn't hard to do, but you need a code signing certificate to do it.
Assuming you have the ability to sign code, there are two ways to get VisualTest working. First, you can edit mtrun.exe, add the resource, then sign it. Alternatively, you can use your own app to launch mtrun.exe, which is the way I've done it. I already had a launcher app that I wrote to (among other things) avoid having to install the runtime modules on every system I want to run my tests on, so it was just a matter of adding the manifest, compiling, and signing.
I haven't done much testing with it yet, but the Visual Test play statement works, which was the first place I'd seen the problem.





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

THoffman

I added the complete manifest to the Visual Test launcher I wrote. It works fine in Vista. However, in XP, if I run it twice, it causes a BSoD. I created a simple app that just displays a message box, put the manifest in it, and ran it (without signing). It crashes XP the second time I run it.
I'm looking into this to find out which part of the manifest is causing the crash in XP and will post what I find. Again, it seems to be fine in Vista. So, worst case would be having two VT launchers, one for XP and one for Vista.
--
Troy





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

THoffman

Just in case anybody's still following this:
Thanks to this thread http://groups.google.com/group/microsoft.public.dotnet.languages.vc/browse_frm/thread/be9473ee5e243848/, I found that the problem isn't in the XML, but in Visual Studio 2005.
I wound up doing this to get it to work:
1) Create a resource in the project of custom type RT_MANIFEST and an ID of 1.
2) Paste the XML file directly into the resource.
3) Tell the manifest tool not to embed the manifest (project properties/configuration properties/manifest tool/input and output/embed manifest=no).
4) Build the EXE.
5) Sign the EXE.
It's still frustrating that it crashes if I have VS 2005 create the manifest resource, but at least it works in Vista without crashing XP.





Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MFred

Hi everybody,

I've just tried what THoffman said with the manifest/code signing, but it seems, it doesn't work so well. I also put the flag "Compatibility->Run as Admin" for mtrun.exe.
In my VisualTest script, I get a "Cannot set playback hook" with the function "WMenuSelect".

Can someone help, please ! Or simply send a modified version of mtrun.exe

Thx




Re: Security for Applications in Windows Vista Journaling hooks on Vista?

MFred

Hi again,

I've tried something else.
If I put 2 of the UAC-Policies on disable, VisualTest works fine, even the ScenarioRecorder works!!
The 2 Policies I disabled are:
- UAC: Run all administrators in Admin...
- UAC: Switch to the secure desktop ....

I'm still searching if I could make it work without any changes in the policies, but using a manifest-file for mtrun.exe.

Any ideas ! !

Thx