FOR IMMEDIATE RELEASEEditorial Contacts: Tracy Chang
For further information, please contact
Innovation Management Group, Inc.
Luckily there have not been too many issues that pop up regarding the UIPI approach used in Windows since the release of Windows Vista. Many issues can be resolved in a satisfactory way by turning off User Account Control (UAC). In cases where the security or policy requires UAC to remain on, the next simplest solution is to run My-T-Soft as an Administrator. Since version 1.79, all possible executable options are included with the release software - executables built with the manifest set with asInvoker, highestAvailable, and requireAdministrator. My-T-Soft ships with the asInvoker setting, which is the most secure and the recommended option. However, in a secure environment, any elevated process will not be able to receive input when UIPI prevents My-T-Soft from sending input (i.e. keystrokes) due to privilege isolation. The following explains what is going on in the context of running My-T-Soft when a UIPI situation arises preventing normal / expected operation of My-T-Soft.
Typically, a user runs applications/programs and My-T-Soft in the security context of themselves as a logged on user, and everything works as expected. However, executables can include a manifest to tell the operating system how to treat the security and access privileges when running the program. For example, Setup/installation programs typically raise the privilege level to Administrator so that the operations required will run without further warnings. When User Account Control is on, the user will be presented with a dialog requiring the user to acknowledge or enter a password to continue. If a security application or other tool is run in the context of an Administrator, the privilege isolation prevents processes running in a different security context (i.e. the limited, logged on user) from accessing or interacting with the raised privileged Administrator application. What this means in practice, is that My-T-Soft will not be able to type into an Admin privileged executable when My-T-Soft is being run in the context of the limited user. And this can cause confusion, because Windows does not make any distinction once the application is run & the dialog/password acknowledged. To the average Windows user, who may get used to the occassional security dialog, there will be no connection between the fact that they raised the privilege level of an application and the fact that they cannot interact with it using My-T-Soft like other normal privileged applications.
In some cases, users may wish to run the highestAvailable or requireAdministrator tagged My-T-Soft executables, so the privilege level will be raised when My-T-Soft is run, and operation during the logged on session will be as the user desires. This can be done by modifying the startup shortcut, or simply creating a new shortcut, or renaming the executable, e.g. rename MYTSOFT.highestAvailable.exe to MYTSOFT.exe. In cases where My-T-Soft is running in an elevated privilege state, there can be issues with Developer's Kit utilities - typically when these are run, they are run in the context of the logged on user, and have that privilege level. However, if My-T-Soft is elevated, then it may not be visible/accessible by the Developer's Kit utilities. As a real world example, an OEM uses the elevated executable, and their customer was moving from a workstation to a remote session with a limited user, and then could not get the utilities to operate. After outlining the UIPI issues (which seemed foreign and made no sense to the customer at the beginning of the process), explaining that the limited user was running the Developer's Kit utilities and could not interact with the elevated My-T-Soft executable helped, but it took a detailed walk through from the point of view of security, privileges, and emphasizing that a lower level process could not interact with the Administrator process (simply not allowed) to connect the dots. Luckily in this case, running My-T-Soft as the lower level/logged on user resolved the problem.
As detailed, current releases provide all options to help resolve different situations that can arise using My-T-Soft, but understanding the User Interface Privilege Isolation is important due to the fact that My-T-Soft is a user interface tool.