Clipboard Gadget wants to know
why normal processes can kill elevated processes via
TerminateProcess,
yet they cannot do a trivial
ShowWindow(hwnd, SW_.
"Only explorer seems to be able to do so somehow."
There are several questions packed into this "suggestion." (As it happens, most of the suggestions are really questions; the suggestion is "I suggest that you answer my question." That's not really what I was looking for when I invited suggestions, but I accept that that's what I basically get.)
First, why can normal processes kill elevated processes?
The
kernel-colored glasses
answer is
"because the security attributes for the process grants
the logon user
PROCESS_ access."
Of course, that doesn't really answer the question; it just moves it to another question: Why are elevated processes granting termination access to the logged-on user?
I checked with the security folks on this one.
The intent was to give the user a way to
terminate a process that they elevated
without having to go through another round of elevation.
If the user goes to Task Manager, right-clicks the application,
and then selects "Close",
and the application doesn't respond to WM_CLOSE,
then the
"Oh dear, this isn't working, do you want to try harder?" dialog box
would appear,
and if the user says "Go ahead and nuke it," then we should go ahead
and nuke it.
Note that this extra permission is granted only if the process was elevated via the normal elevation user interface (which nitpickers will point out may not actually display anything if you have enabled silent elevation). The user was already a participant in elevating the process and already provided the necessary credentials to do so. You might say that elevating a process pre-approves it for being terminated. As Bill Cosby is credited with saying, "I brought you into this world, and I can take you out!"
If the process was elevated by some means other than the user interface (for example, if it was started remotely or injected by a service), then this extra permission is not granted (because it is only the elevation user interface that grants it), and the old rules apply.
Phew, that's part one of the question.
Now part two:
Why can't you do a trivial
ShowWindow(hwnd, SW_?
Because that runs afoul of
User Interface Privilege Isolation,
which prevents low-integrity processes from manipulating the
user interface of higher-integrity processes.
My guess is that Clipboard Gadget though that terminate a process is a higher-privilege operation than being able to manipulate it. It isn't. Terminating a process prevents it from doing anything, which is different from being able to make it do anything you want. You might hire a chauffeur to drive you all over town in a limousine, and you can fire him at any time, but that doesn't mean that you can grab the wheel and drive the limousine yourself.
Finally, Clipboard Gadget wants to know how Explorer can minimize
windows.
Explorer does not call
ShowWindow(hwnd, SW_
to minimize windows,
because Explorer is running at medium integrity
and cannot manipulate the windows belonging to high-integrity processes.
Instead, it posts a
WM_
with the request
SC_.
This does not minimize the window;
it is merely a request to minimize the window.
The application is free to ignore this request;
for example, the application may have disabled its Minimize box.
Most applications, however, accede to the request by minimizing the window.
Just like how most chauffeurs will agree to take you to your
destination along the route you specify.
Unless your instructions involving going the wrong way down a
one-way street or running over pedestrians.
But don't fool yourself into thinking that you're driving the limousine.