0

While we all got tangled up in this topic, it came to light that, while UWP apps do have top level windows and you can send (sensible) messages to them (*), and these do get through and have the expected effect, Spy++ doesn't ever seem to see those messages, or indeed any others that Windows itself might send.

Can anyone shed any light on this?

Just to provide a bit of background, Spy has no problem locating and inspecting these windows (the 'Finder Tool' works just fine) but message logging is totally mute. I have tested the Settings App, the On Screen Keyboard, Calendar and Calculator, and I did tick all the appropriate 'Additional windows' checkboxes in Spy. I also used Process Explorer to check that Spy runs at 'High Integrity Level' (because it runs elevated, presumably), and it does.

(*) Yes, I know we're not supposed to but, well, you know.

Paul Sanders
  • 24,133
  • 4
  • 26
  • 48
  • 1
    Spy++ requires SetWindowsHookEx() to work. Microsoft has lots of good reasons to make it fail on a UWP corewindow, given that it would be an easy way to bypass the sandbox restrictions. – Hans Passant May 20 '18 at 21:04
  • I believe the reason is due to the [Process Mitigation Policy](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx) being set to [disable win32k calls](https://msdn.microsoft.com/en-us/library/windows/desktop/hh871472(v=vs.85).aspx) – Peter Torr - MSFT May 21 '18 at 01:08
  • @HansPassant Nice idea, but I'm not sure I buy that. Spy is trying to break into the sandbox, not out of it, and is privileged, so why not? – Paul Sanders May 21 '18 at 07:26
  • @PeterTorr Thank you, but no. Not according to [mitigationview](https://github.com/fishstiqz/mitigationview) anyway. For Calculator, at least: `DisallowWin32kSystemCalls 0`. And [here](http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf) we have "After setting `DisallowWin32kSystemCalls`, any call into USER / GDI will fail.", which would stop UWP apps (albeit under the hood) from getting their messages through the usual channels when I have observed that they do in fact receive them. [more] – Paul Sanders May 21 '18 at 07:48
  • So, does Windows 10 have some new, secret, message-passing mechanism for UWP apps? That seems unlikely, hence my curiosity. – Paul Sanders May 21 '18 at 07:48
  • Ah I think that's only used by Edge child processes, not normal UWPs . – Peter Torr - MSFT May 22 '18 at 02:25
  • @PeterTorr OK, I can see that would make sense. I dug up some new info and added it to my post, what do you think? – Paul Sanders May 22 '18 at 04:54
  • @PeterTorr Solved this now - there's no mystery at all, I just made a silly mistake, see edit. Thanks for your input. – Paul Sanders Jun 11 '18 at 09:59
  • 1
    To be fair, that's not silly - as you say, there was zero diagnostic about it. So a very easy thing to miss. – Lightness Races in Orbit Jul 28 '19 at 17:31

1 Answers1

7

Um, embarrassing. You need to use the 64 bit version of Spy to spy on a 64 bit app (and vice-versa). Then it works fine and you get what you expect.

Of course, it would be nice if Spy told you when you try to trace messages in an app of the wrong bitness but it doesn't, so please be warned.

Paul Sanders
  • 24,133
  • 4
  • 26
  • 48