Version 1 of MS Windows: assistive technology, code signing, send keystrokes to other applications and Windows login password field

Updated 2023-07-13 14:20:43 by oehhar

HaO 2023-07-13:

Goal

Send keystrokes from a TCL application to other applications and the Windows login password field

Application

My company authors integration software where data scanned by barcode scanners are handled and sent to other programs.

Background

Using TWAPI, one may send keystrokes to the foreground program. Here is a simple test line sending an "a" (this is over-complicated, TWAPI can do it better, but only for testing procedures with maximum control):

twapi::send_input [list [list key 65 0x1e]]

I wrap the script using basekits from Ashok [L1 ], test file is "tclkit-gui-8_6_13-twapi-4_7_2-x86-max.exe".

If the program is started as normal user, one can send keystrokes to other user programs, but not to elevated programs. If the program is started with Adminstrator rights, you can send keystrokes to all user programs and administrator programs.

If you lock the screen, you may open the login screen of Windows while the program is running. You can change from the picture screen to the password entry screen using the program. But you can not enter any data to the password entry field to unlock the session.

The situation is the same, if you run the program as Windows service.

Assistive technology

Assistive technology may help you to handle your computer and allows programs to send keystrokes to any program including the login password screen. You may test this using the on-screen keyboard. It also works within the login password screen.

Programs for assistive technology have the manifest switch uiAccess set to true [L2 ]. The scandard wish and starkit manifest contains the following trust information (use ResHacker.exe to extract).

    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
            </requestedPrivileges>
        </security>
    </trustInfo>

You may use ResHacker.exe to change uiAccess="true". The result was a smaller and not starting any more executable. So, I asked Ashok, to build a starkit with this set from scratch. The starting error message is normal and will always show-up, if the executable is not signed with a certifificate which goes to the trusted root certificates.

The error message looks like that: win_error_message_uiaccess_true_not_signed.png