winrt::hresult_access_denied in CreateForWindow in some cases

[shuangshu]

Hello, I am using nodejs load dll A and then dll A load dll B which internal calls IGraphicsCaptureItemInterop.CreateForWindow but I encounter winrt::hresult_access_denied when I using MFC just to load dll B internal calls IGraphicsCaptureItemInterop.CreateForWindow work fine. is it a program permission problem?

[robmikh]

Could you tell us what build of Windows you're trying this on?

We block calls to CreateForWindow and CreateFromMonitor in two cases:

• The caller is not at least Medium IL (integrity level)
• The caller is a Universal app (UWP/AppContainer)

My guess is that the javascript engine is being run in a LowIL process and is being blocked.

[shuangshu]

hi robmikh, windows 10(1903) and the electron app run as administrator, IntegrityLevel >= SECURITY_MANDATORY_HIGH_RID

[jpark37]

We saw this with CEF on OBS. The issue there was that the Chromium sandbox was not properly disabled, and this function was eventually being called: https://cs.chromium.org/chromium/src/sandbox/win/src/restricted_token_utils.cc?l=341

This was only a problem when running as administrator for whatever reason. We have since submitted a patch to CEF, and moved past this issue. Good luck.

[thedracle]

@jpark37 Thanks for the answer, I checked around in the OBS repo and couldn't find much about what you guys discovered.

We saw this with CEF on OBS. The issue there was that the Chromium sandbox was not properly disabled, and this function was eventually being called: https://cs.chromium.org/chromium/src/sandbox/win/src/restricted_token_utils.cc?l=341

We are seeing "Access Denied" here too using Electron, and running as an administrator.

The call is being made from the 'main' electron process, which should be equivalent to the "browser" process. According to Electron docs is "privileged and cannot be sandboxed": https://www.electronjs.org/docs/tutorial/sandbox

I've tried running with sandboxing globally disabled using the "--disable-sandbox" flag, but no dice: https://www.electronjs.org/docs/tutorial/sandbox

Is there some Access Token permission that is related to being able to do a screen capture?

I think what is missing from this example, or any of MS's documentation regarding CreateForWindow is a lack of documentation on what privileges are required, and why it might produce Access Denied.

Any more details on what you guys found, and particularly if there was any obvious mitigation, would be greatly appreciated.

[jpark37]

These were the two changes that were merged into CEF: https://bitbucket.org/chromiumembedded/cef/commits/438382c5df6bb5a2496acb5e26a8f80dd8a441d5 https://bitbucket.org/chromiumembedded/cef/commits/754b4eefca85c0b4f8961e8a58b2fe840fe5fa34

I know even less about Electron than CEF, so I don't think I'll be of much help.

[w0nche0l]

Sorry to necro this thread, but I'm also seeing this whenever my app is being ran as administrator.

@jpark37 when you say "We have since submitted a patch to CEF, and moved past this issue." Do you mean that the patch solved your issue, or that you decided to let it be a known issue?

[jpark37]

The patch allows us to solve our issue.

We set CefSettings::no_sandbox to false true: https://github.com/obsproject/obs-browser/blob/a4e163ec8a156f090f3a0db7e6f992a4adad3bb6/obs-browser-plugin.cpp#L313

And we pass nullptr for windows_sandbox_info to CefInitialize, which now behaves the way we want: https://github.com/obsproject/obs-browser/blob/a4e163ec8a156f090f3a0db7e6f992a4adad3bb6/obs-browser-plugin.cpp#L390