NVDA is unable to hook into metro apps #1801

nvaccessAuto opened this Issue Sep 17, 2011 · 4 comments


None yet
1 participant

Reported by mdcurran on 2011-09-17 06:11
Whether or not NVDA has the uiAccess privilages, it is not able to inject into the processes of metro apps. This means that:

  • There is no typed characters spoken,
  • No chance of display model information,
  • No virtualBuffers.
    We currently try to inject in to any app via an in-process winEvent hook. We may be able to investigate other tricks like opening the process and creating a remote thread, though if thei're not allowing winEvents, then they're probably not allowing openProcess.
    We'll have to find out Microsoft's plans for this security-wize.

Comment 2 by mdcurran on 2012-03-11 07:06
Further technical info:

  1. SetWinEventHook does allow for hooking in to metro apps on Windows 8 but it seems that Windows itself when loading the dll containing the hook into each process, is not loading with the LOAD_AS_ALTERED_PATH, which means that if the dll is linked against any other dll which should be found in the same directory, this second dll is never found and therefore the load fails. The hook is not executed in-process, instead the dll is never loaded and the hook is executed out-of-process.
    nvdaHelperRemote.dll links against minhook.dll, which is located in the same directory. Windows cannot locate minhook.dll in Metro apps.
    We can solve this issue by loading minhook.dll from nvdaHelperRemote.dll using LoadLibrary and then mapping the symbols with getProcAddress, rather than linking against it.
    However, we have requested that Microsoft fix this... so we shall see what happens.
  2. Apps from the Windows store, and the content process of the Metro-style Internet Explorer, and the included metro apps (Store, Calendar etc) are all run with a new appContainer integrity level. This integrity level is a new level lower than the previous lowest one (low) which has always been used for content processes in Internet Explorer (protected mode).
    NVDA cannot function at all well in-process when the process has the appContainer integrity level. RPC client requests seem to fail, they are extremely hard to debug, oddly even the Beep function does not even work.
    We have requested further info from Microsoft in regards to exactly what does and does not work in appContainer integrity. However it may end up being that we just cannot function in these situations in-process and therefore will have to resort to out-of-process forms of interaction in these apps (including Internet Explorer metro app). Relying on UI Automation in these situations may improve the experience a little.

Comment 3 by mdcurran on 2012-04-10 23:57
Some ongoing work for injection in to metro apps in this branch:
Not finished yet.

  • Loading of minHook has been fixed: Minhook is now marked as a delay loaded dll, but before any function from minHook is called, LoadLibrary is used to load it manually using an absolute path.
  • Inproc code can now contact NVDA's rpc server: RpcUseProtseqEp and the new RpcServerRegisterIf3 functions needed to take a security descriptor who's DACL allowed generic all for the AC sid (AppContainer integrity level).
    • NVDA's process and the injectionDoneEvent event needed to have a security descriptor who's DACL allowed synchronize (0x100000) for the AC sid (AppContainer integrity level) so that code in an AppContainer could wait on both our process and the event as expected.

NVDA can now at least speak typed characters (and I assume report input lang changes) in Metro apps.

But! Still no success with running an rpc server from within an AppContainer, therefore no virtualBuffers or displayModel yet. Still working on it.

also the security descriptors used are way too wide open (a part from allwoing AppContainer level, they are allowing generic all for all authenticated users, as I can't yet find a simple way to do inheritence or defaults)

Comment 4 by mdcurran on 2012-04-20 07:54
Hooking in to metro style apps is now complete, giving support for speak typed characters, displayModel (if GDI is used) and browse mode for web documents (including full support for the metro version of Internet Explorer 10). Note though that NVDA can only hook in to metro apps if it has the UIAccess privilidge meaning that snapshots and any portable copies cannot do this, only just installed copies that are signed.
Merged in 54b96a9.
State: closed

Comment 5 by mdcurran on 2012-04-20 07:55
Milestone changed from near-term to 2012.2

@nvaccessAuto nvaccessAuto added the bug label Nov 10, 2015

@nvaccessAuto nvaccessAuto added this to the 2012.2 milestone Nov 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment