Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use IGraphicsCaptureItemInterop::CreateForWindow with electron apps #111

Closed
YueLu0116 opened this issue Jun 13, 2022 · 6 comments
Closed

Cannot use IGraphicsCaptureItemInterop::CreateForWindow with electron apps #111

YueLu0116 opened this issue Jun 13, 2022 · 6 comments

Comments

@YueLu0116
Copy link

My Windows screen-capture sdk is built on winrt(c++) and work with electron through c++ addons. However, every time I call CreateForMonitor, it will throw an access-deined exception. How can I solve this issue?

Windows version: Windows 10 20H2 (19042.1706)
What I have tried:

  1. run the electron application as Administrator
  2. start the electron app with command line arguements: --no-sandbox
  3. I check the result of GetSidSubAuthority: SECURITY_MANDATORY_HIGH_RID

Some similar but unsolved issues:

  1. winrt::hresult_access_denied in CreateForWindow in some cases #49
  2. Use this Samples with CefSharp has a problem #55
@robmikh
Copy link
Member

robmikh commented Jun 13, 2022

IGraphicsCaptureItemInterop is not available to LowIL callers, which would include the JavaScript process in Chromium. You'll need to either construct the item from at least a MediumIL process and marshal it to the LowIL process or use the newer TryCreateFromWindowId method added in Windows 11.

@YueLu0116
Copy link
Author

IGraphicsCaptureItemInterop is not available to LowIL callers, which would include the JavaScript process in Chromium. You'll need to either construct the item from at least a MediumIL process and marshal it to the LowIL process or use the newer TryCreateFromWindowId method added in Windows 11.

I call GetSidSubAuthority before calling CreateForMonitor and I always get SECURITY_MANDATORY_HIGH_RID. Does it mean the process is HighIL?

@robmikh
Copy link
Member

robmikh commented Jun 14, 2022

How are you calling GetSidSubAuthority? What does it say when you query for TokenIsAppContainer from the process token? Unfortunately, I'm not very familiar with Electron, so I'm not sure how your steps are affecting the environment when we go to inspect the process token on the system side.

@YueLu0116
Copy link
Author

YueLu0116 commented Jun 15, 2022
edited
Loading

@robmikh
Today I query TokenIsAppContainer following your advice. After this query, I call CreateForMonitor and everything works fine. Don't know what happened...

void IsAppContainer() {
	HANDLE hToken = nullptr;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
		DWORD dwSize = 0;
		BOOL fIsAppContainerProcess;
		if (!GetTokenInformation(hToken, TokenIsAppContainer, &fIsAppContainerProcess, sizeof(BOOL), &dwSize) ||
			dwSize != sizeof BOOL) {
			fIsAppContainerProcess = false;
		}
		if (fIsAppContainerProcess) {
			LOG("It is an app container. [fIsAppContainerProcess={}]", fIsAppContainerProcess);
		}
		else {
			LOG("It is NOT an app container. [fIsAppContainerProcess={}]", fIsAppContainerProcess);
		}
	}
	else {
		LOG("OpenProcessToken() error {}\n", (unsigned long)(GetLastError()));
	}
}

Codes for calling GetSidSubAuthority:

DWORD GetProcessIL(TOKEN_INFORMATION_CLASS tokenInfoCls)
{
	DWORD dwRet = 0; {
		HANDLE hToken = NULL;
		if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
			DWORD dwSize = 0;
			// determine information length
			if (!GetTokenInformation(hToken, tokenInfoCls, NULL, 0, &dwSize) &&
				GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
				PTOKEN_MANDATORY_LABEL TokenInfo = (PTOKEN_MANDATORY_LABEL)malloc(dwSize);
				if (TokenInfo) {
					// get an actual information
					if (GetTokenInformation(hToken, tokenInfoCls, TokenInfo, dwSize, &dwSize)) {
						// get the integrity level
						dwRet = *GetSidSubAuthority(
							TokenInfo->Label.Sid,
							(DWORD)(*GetSidSubAuthorityCount(TokenInfo->Label.Sid) - 1)
						);
					}
					else {
						LOG("GetSidSubAuthorityCount() error {}\n", (unsigned long)GetLastError());
					}
					free(TokenInfo);
				}
				else {
					LOG("Token allocation error {}\n", (unsigned long)(GetLastError()));
				}
			}
			else {
				LOG("GetTokenInformation() error {}\n", (unsigned long)(GetLastError()));
			}
			CloseHandle(hToken);
		}
		else {
			LOG("OpenProcessToken() error {}\n", (unsigned long)(GetLastError()));
		}
	}
	return dwRet;
}

@w0nche0l
Copy link

Hi @YueLu0116, so this worked after you called both of those functions? Is it that you stopped calling it as an admin?

This was referenced Nov 2, 2023
Open
Closed
@Lijian1122
Copy link

Hi @YueLu0116, so this worked after you called both of those functions? Is it that you stopped calling it as an admin?

Do you resolve this problem when as admin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@w0nche0l @robmikh @Lijian1122 @YueLu0116