Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access_denied in CreateForMonitor in some cases #125

Open
HuntCode opened this issue Nov 2, 2023 · 5 comments
Open

access_denied in CreateForMonitor in some cases #125

HuntCode opened this issue Nov 2, 2023 · 5 comments

Comments

@HuntCode
Copy link

HuntCode commented Nov 2, 2023
edited
Loading

Hello,
I developed A.dll with OSB libs(use IGraphicsCaptureItemInterop::CreateForMonitor),A.dll used default UAC level like:
image

Three apps use A.dll :
1) C#(wpf) app doesn't have a UAC shield, when Administrator User Logon Windows, app works fine both when double click run and run as Administrator. I think the process level is right, so app works fine. If I switch Standard User Logon Windows, app works fine when double click run, but access_denied in CreateForMonitor when run as Administrator, in this case I think the process level or token info is not matched.
2)I also write a MFC demo with default UAC level(asInvoker), the running performance is the same as C# app
3)Electron app through C++ addons(wrapped with A.dll), when run use non-admin Powershell, it works fine, but it doesn't work when use admin Powershell(access_denied in CreateForMonitor)

I use VS2022 and log in to Windows as an administrator. I found that when I launch VS2022 and debug with electon app, it works fine, but it doesn't work when I launch VS2022 as an administrator. The running performance is the same as run with Powershell

so I'm confused,is it a program permission problem?

Some similar but unsolved issues:
Cannot use IGraphicsCaptureItemInterop::CreateForWindow with electron apps#111
winrt::hresult_access_denied in CreateForWindow in some cases#49
@robmikh
Copy link
Member

robmikh commented Nov 2, 2023

Generally there are a few conditions where CreateFromMonitor can give you an access denied error:

  • MDM policy (if it works at all, it's not this)
  • App container (UWP)
  • LowIL

Aside from that, the API works best if used from the same user account as the interactive session. Using the SYSTEM account or calling from a non-interactive session is not supported at this time.

@HuntCode
Copy link
Author

HuntCode commented Nov 2, 2023

Thanks for your answer

In my cases, "If I switch Standard User Logon Windows, app works fine when double click run, but access_denied in CreateForMonitor when run as Administrator"

Using the SYSTEM account or calling from a non-interactive session is not supported at this time.

This is the reason?so even Administrator couldn't capture stantard user's monitor?

case 3) The only clue I guess is the Electron's constraint, but I'm not familiar with it, so I don't kown why when run as admin, CreateFromMonitor return access denied error, LowIL? How to resolve this issue? or I can use DXGI?

@robmikh
Copy link
Member

robmikh commented Nov 3, 2023

Running elevated as the same user shouldn't impact the capture API, but running as a different user will.

You can give DDA a try, it is allowed as the SYSTEM user (and that will allow you to capture the secure desktop).

What are the steps you take to run the application as administrator that causes it not to work? I can't repro this.

@HuntCode
Copy link
Author

HuntCode commented Nov 3, 2023

Running elevated as the same user shouldn't impact the capture API, but running as a different user will.

Yes, I think this is the reason for my case 1) and 2),result like the table below:

Windows User Run as Admin C# MFC Demo
Administrator asInvoker(double click run) work fine work fine
Administrator Admin work fine work fine
Standard User asInvoker(double click run) work fine work fine
Standard User Admin don‘t work don‘t work

The dependence is app->A.dll->OBS libs(use IGraphicsCaptureItemInterop::CreateForMonitor)

This is not my key question, I can understand the reason you point out

What are the steps you take to run the application as administrator that causes it not to work? I can't repro this.

Sorry, maybe my description is not clear?

In case 3), I write an Electron app through C++ addons(wrapped with A.dll), the dependence is
Electron app->addon.node->A.dll->OBS libs(use IGraphicsCaptureItemInterop::CreateForMonitor)

Windows User Powershell Electron app
Administrator click run(non-admin) work fine
Administrator Run as Admin don‘t work
Windows User Debug with VS2022 Electron app C# MFC Demo
Administrator non-admin launch VS2022 work fine work fine work fine
Administrator Admin launch VS2022 don‘t work work fine work fine

Debug Electron app with VS2022(non-admin launch)
image
The IntegrityLevel is SECURITY_MANDATORY_MEDIUM_RID(8192) and the CreateForMonitor is OK, so can capture the monitor

Debug Electron app with VS2022(admin launch)
image
The IntegrityLevel is SECURITY_MANDATORY_HIGH_RID(12288) and the CreateForMonitor is access_denied, so can't capture the monitor

So I don't know if the electron has some constraint or something else?

@HuntCode
Copy link
Author

HuntCode commented Nov 3, 2023

Debug MFC app with VS2022(non-admin launch)
image
The IntegrityLevel is SECURITY_MANDATORY_MEDIUM_RID(8192) and the CreateForMonitor is OK, so can capture the monitor

Debug MFC app with VS2022(admin launch)
image
The IntegrityLevel is SECURITY_MANDATORY_HIGH_RID(12288) and the CreateForMonitor is OK, so can capture the monitor

GetProcessIL is from Cannot use IGraphicsCaptureItemInterop::CreateForWindow with electron apps #111

@HuntCode HuntCode mentioned this issue Nov 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robmikh @HuntCode