What is User Interface Privilege Isolation (UIPI)
This is also known as UI Privilege Level Isolation (UIPI).
As part of the secure initiatuve in Vista, applications with UI will run in three different levels of privilege. Application windows can interact with others windows of the same or lower levels, but cannot interact with applications at higher level/permission.
Lower privilege modes can send messages to higher privileged applications only if explicitly allowed by the higher privilege application with a message calling ChangeWindowMessageFilter(). Also lower privileged applications can only read a HWND owned by a higher privileged application.
Internet Explorer is an example process that runs at the lowest privilege level.
UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the following behavior.
A lower privilege process cannot:
- Perform a window handle validation of higher process privilege.
- SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
- Use thread hooks to attach to a higher privilege process.
- Use Journal hooks to monitor a higher privilege process.
- Perform dynamic link library (DLL)–injection to a higher privilege process.
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels.
- Desktop window, which actually owns the screen surface
- Desktop heap read-only shared memory
- Global atom table