Skip to content

/nvda

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use uiAccess in Windows Vista and beyond #397

Closed
nvaccessAuto opened this issue Jan 1, 2010 · 4 comments
Closed

Use uiAccess in Windows Vista and beyond #397

nvaccessAuto opened this issue Jan 1, 2010 · 4 comments
Assignees
@michaelDCurran
Labels
enhancement
Milestone
2009.1

Comments

@nvaccessAuto
Copy link

@nvaccessAuto nvaccessAuto commented Jan 1, 2010

Reported by jteh on 2009-08-23 10:09
In Windows Vista and beyond, an AT can set a uiAccess field in its manifest to specify whether it should gain additional privileges to access the UI of other applications. This is needed to access elevated applications; i.e. running as administrator. However, due to the security concerns this raises, the application must be signed with a trusted security certificate. We can't afford a cert signed by a trusted root CA at this stage. However, we have found a way to register a trusted root cert in the installer. NVDA should then use the uiAccess privilege wherever possible.
@nvaccessAuto

This comment has been minimized.

Sign in to view
Copy link
Author

@nvaccessAuto nvaccessAuto commented Jan 1, 2010

Comment 1 by jteh on 2009-10-29 03:21
Change of approach. NV Access has purchased a cert signed by a trusted root CA, so we will sign releases with that. Snapshots will not be signed, as we make no guarantees about snapshots.

A new option, --enable-uiAccess, has been added to setup.py's py2exe command to enable uiAccess for nvda.exe. This should only be used if it will subsequently be signed by a trusted cert. This hasn't yet been merged into main; bzr branch: http://bzr.nvaccess.org/nvda/uiAccess/

I have updated the build scripts to enable uiAccess and sign the executables.

We need to allow certain messages through the message filter so that Java Access Bridge will work when NVDA is running with uiAccess. Mick is working on this.
@nvaccessAuto

This comment has been minimized.

Sign in to view
Copy link
Author

@nvaccessAuto nvaccessAuto commented Jan 1, 2010

Comment 2 by jteh on 2009-11-03 08:34
We needed to make a few other changes to get this working properly. The problem is that Windows won't allow uiAccess apps to run with uiAccess if they aren't in trusted system locations. The shell can start uiAccess applications outside of these locations (but doesn't give them uiAccess privs), but running the process in other ways fails. This means that portable copies cannot have uiAccess and that the installer must use !ShellExecute to start NVDA. Also, the service has to set uiAccess in the token in order to start a uiAccess application. Finally, giving uiAccess to the 64 bit nvdaHelperRemoteLoader required using NVDA's own process token with !CreateProcessAsUser. All of these changes are in the aforementioned bzr branch and will be merged soon.

TODO: Change the build script to enable uiAccess for installer but not for portable.
@nvaccessAuto

This comment has been minimized.

Sign in to view
Copy link
Author

@nvaccessAuto nvaccessAuto commented Jan 1, 2010

Comment 3 by jteh on 2009-11-04 04:34
uiAccess branch merged in r3351.
@nvaccessAuto

This comment has been minimized.

Sign in to view
Copy link
Author

@nvaccessAuto nvaccessAuto commented Jan 1, 2010

Comment 4 by jteh on 2009-11-04 06:12
Build script updated and tested. I think this is good to go.
Changes:
State: closed
@nvaccessAuto nvaccessAuto added this to the 2009.1 milestone Nov 10, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelDCurran michaelDCurran

Labels
enhancement
Projects
None yet
Milestone
  2009.1
2 participants
@nvaccessAuto @michaelDCurran
You can’t perform that action at this time.