delphi - WH_JOURRNALRECORD 的 SetWindowsHookEx 在 Vista/Windows 7 下失败

Question

我正在准备一个Delphi模块，它在线程中设置一个钩子(Hook)来记录宏:

FHandleRec  := SetWindowsHookEx(WH_JOURNALRECORD, FRecordProc, HInstance, 0);
FHandlePlay := SetWindowsHookEx(WH_JOURNALPLAYBACK, FPlayProc, HInstance, 0);

这在 WinXP 上工作正常，但在 Vista/Windows 7 上失败，并显示 ERROR_ACCESS_DENIED。我在 Google ( this ) 中发现引用 ( that )。引用:

A lower privilege process cannot: … Use Journal hooks to monitor a higher privilege process.

尝试过但没有成功:

1. 以管理员身份运行应用程序。可能线程已启动权限低于主线程(虽然我不是 100%当然)
2. 使用管理员安全上下文模拟线程也没有帮助。

代码示例:

if LogonUser(PWideChar(sAdminUser), PWideChar(sDomain), PWideChar(sPwd),
             LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, hToken) then 
begin  
  if not ImpersonateLoggedOnUser(hToken) then
    raise Exception.Create('Error impersonating the user');
end;
FHandleRec := SetWindowsHookEx(WH_JOURNALRECORD, FRecordProc, HInstance, 0);

LogonUser 和 ImpersonateLoggedOnUser 执行时没有错误。

其他可以尝试的可能性:

1. 永久关闭 UAC。这有帮助，但我无法强制该模块用户这样做。
2. 模块客户签署应用程序并将其放入受信任的应用程序中地点。没有尝试过，但这使模块变得非常复杂供用户使用。
3. 将模块放入某个已签名的应用程序中并分发 EXE。那会破坏一些核心功能。

您能否展示在 Visa/Windows 7 下设置 Hook 的代码或建议可行的解决方案？

Answer 1

阅读 that article 的“用户界面权限隔离”部分再次更加仔细。它指的是完整性级别，而不是用户权限。这就是为什么冒充其他用户并不能解决问题。 完整性级别是在进程首次启动时建立的，并且无法在代码中动态更改。

User Interface Privilege Isolation (UIPI) is one of the mechanisms that helps isolate processes running as a full administrator from processes running as an account lower than an administrator on the same interactive desktop. UIPI is specific to the windowing and graphics subsystem, known as USER, that supports windows and user interface controls. UIPI prevents a lower privilege application from using Windows messages to send input from one process to a higher privilege process. Sending input from one process to another allows a process to inject input into another process without the user providing keyboard or mouse actions.

Windows Vista implements UIPI by defining a set of user interface privilege levels in a hierarchical fashion. The nature of the levels is such that higher privilege levels can send window messages to applications running at lower levels. However, lower levels cannot send window messages to application windows running at higher levels.

The user interface privilege level is at the process level. When a process is initialized, the User subsystem calls into the security subsystem to determine the desktop integrity level assigned in the process’s security access token. The desktop integrity level is set by the security subsystem when the process is created and does not change. Therefore, the user interface privilege level is also set by the User subsystem when the process is created and does not change.

All applications run by a standard user have the same user interface privilege level. UIPI does not interfere or change the behavior of window messaging between applications at the same privilege level. UIPI comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.

• Use Journal hooks to monitor a higher privilege process.

根据this article ，您的应用需要一个指定 requestedExecutionLevel=requireAdministrator 和 uiAccess=True 的 UAC list 。 UIAccess 权限很重要:

By specifying UIAccess=”true” in the requestedPrivileges attribute, the application is stating a requirement to bypass UIPI restrictions ... A process that is launched with UIAccess rights:

• Can set journal hooks.