1

I run a (C#) service that makes some keyboard output into other UI application, like a virtual keyboard would do.

Windows security (more precisely UIPI) restricts my service of doing this.

To bypass UIPI, I've created a manifest for my service with UIAccess flag set to "true" :

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
    <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="true" />
    </requestedPrivileges>
  </security>
</trustInfo>

Regarding the documentation, the service must respect two conditions to be elevated to UIAccess :

  1. The service must be digitally signed
  2. The service must be run from a secure location (only R/W access for administrators, like C:\Program Files)

My service respects those two conditions.

When I try to start my service, I get the following error :

Error 740: The requested operation requires elevation

I thought my service would get automatic elevation and be capable of running with UIAccess. What am I missing ?

Additional inflammations :

  • The service is running Local System account
  • The service is running with "asInvoker" execution level
  • I've tried to disable the following local policies : "Only elevate UIAccess applications that are installed in secure locations" and "Only elevate executable that are signed and validated"
Oswin
  • 539
  • 1
  • 6
  • 20
  • 1
    Services run in a [separate *session*](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653293(v=vs.85).aspx). Nothing to do with UIPI. You need some other component running within the session of the user(s) who you wish to interact with, that can then contact the service via some RPC mechanism, if in fact the service is still required. – Damien_The_Unbeliever Nov 27 '17 at 10:00

0 Answers0