是否可以使用java.awt.Robot单击Windows UAC对话框？ [英] Is it possible to click on Windows UAC dialog using java.awt.Robot?

问题描述

我正在使用Windows 7上的 java.awt.Robot 在Java中使用自定义远程桌面。除了以管理员身份运行命令提示符之外，它还有效。出现UAC对话框，但是使用 mousePress（） / mouseRelease（），Yes按钮不接受按钮点击，按下 keyPress（） / keyRelease（）。该应用程序通过启动器中的 launch4j 启动器而非环绕模式启动。

I'm working on a custom remote desktop in Java using java.awt.Robot on Windows 7. It all works apart from running a Command Prompt as an administrator. The UAC dialog appears, however button clicks are not accepted on the Yes button using mousePress()/mouseRelease(), neither are key presses with keyPress()/keyRelease(). The application is launched via a launch4j launcher in launcher rather than wrap mode.

到目前为止我已经完成的事情

Things I've done so far

UAC的已禁用安全桌面。这允许应用程序的屏幕抓取器部分至少看到提示

Disabled secure desktop for UAC. This allowed the screen grabber part of the application to at least 'see' the prompt

• 更改组策略以从 UAC组策略设置和注册表项设置

• Changed group policy to disable PromptOnSecureDesktop from UAC Group Policy Settings and Registry Key Settings

关注辅助技术的安全注意事项 - 这使得远程桌面在启动后可以与命令提示符交互，但不允许按是按钮。

Followed Security Considerations for Assistive Technologies - this has allowed the remote desktop to interact with the Command Prompt once launched but not allowed pressing the Yes button.

• 向launch4j添加清单指定uiaccess = true


• 使用signtool.exe使用self签名.exe使用makecert.exe生成的签名证书


• 已安装的证书为受信任的根证书


• 已验证.exe已通过右键单击属性标记为可信任，数字签名


• 确保.exe位于受信任位置，c：\Program Files（x86）\在这种情况下。


• 试图运行作为管理员服务的应用程序的一部分 - 但是我无法获得以管理员身份运行并允许访问桌面的Windows服务 - 似乎只有LocalSystem才能这样做......？

• added a manifest to launch4j specifying uiaccess=true
• Signed the .exe using signtool.exe using self signed certificate generated with makecert.exe
• Installed certificate as Trusted root certificate
• Verified the .exe is marked as Trusted via Right click properties, Digital Signatures
• Ensured .exe is in Trusted location, c:\Program Files (x86)\ in this case.
• Tried to run part of the app as a service as Administrator - however I could not get a Windows Service that ran as Admin AND allowed access to the desktop - it seems only LocalSystem can do that...?

问题

• 这最终可能吗？


• javaw.exe是launch4j包装器的子进程吗？我已经阅读了 Windows完整性机制设计，但我不知道这个效果如何launch4j。

• Is this ultimately possible?
• Does the javaw.exe being a child process of the launch4j wrapper effect things? I've read through Windows Integrity Mechanism Design however I don't know how this effects launch4j.

Launch4j清单文件

Launch4j manifest file

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
            <requestedExecutionLevel level="asInvoker" uiAccess="true" />
        </requestedPrivileges>
    </security>
    </trustInfo>
</assembly>

推荐答案

简短回答，是的。

• 可执行清单中的uiAccess标志似乎只适用于该exe而不是任何子执行，即如果foo-launcher.exe启用uiAccess并启动javaw.exe并不意味着javaw.exe启用了uiAccess。


• 我在运行foo时看到正常工作的唯一原因-launcher.exe作为管理员是foo-launcher.exe也以管理员身份启动javaw.exe，它允许足够的完整性，不需要uiAccess检查。


• javaw.exe有自己的内部清单包含uiAccess true


• 内部清单优先于外部 - 请参阅 UAC：忽略清单文件和


• 存在一个注册表项，用于切换首选内部优于外部清单的行为 -
  se e 如何防止使用嵌入式清单？


• Launch4j生成的可执行文件使用CreateProcess，这意味着可以在没有清单数据的情况下启动可执行文件，显然应该使用ShellExecuteEx - 参见如何运行需要提升并等待的子进程？

• The uiAccess flag in the executable manifest appears to only apply to that exe not any child executions, i.e. if foo-launcher.exe is uiAccess enabled and starts javaw.exe that does not mean javaw.exe is uiAccess enabled.
• The only reason I saw working correctly when running foo-launcher.exe as Administrator is that foo-launcher.exe also starts javaw.exe as Administrator which allows it enough integrity to not require the uiAccess check.
• javaw.exe has its own internal manifest which contains uiAccess true
• Internal manifests are prefered over external - see UAC: Manifest file is ignored and
• A registry key exists to toggle behaviour of preferring internal over external manifests - see How to prevent embedded manifest from being used?
• Launch4j generated executables uses CreateProcess which means executables are launched without manifest data, apparently ShellExecuteEx should be used instead - See How can I run a child process that requires elevation and wait?

• 从javaw.exe中提取内部清单并放入文件名为javaw.exe.manifest的同一目录 - 这可以手动完成，因为它是纯文本 - 我使用了notepad ++。如果您需要自动化，则存在各种第三方工具。


• 将清单编辑为uiAccess =true



• 应用注册表修复程序
  注册表修复

• Extract the internal manifest from javaw.exe and place in same directory with the filename javaw.exe.manifest - this can be done manually as it is plain text - I used notepad++. Various 3rd party tools exist if you need automation.
• Edit the manifest to uiAccess="true"

• Apply the registry fix Registry fix

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ SideSySide]
PreferExternalManifest= dword：00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide] "PreferExternalManifest"=dword:00000001

触摸javaw.exe更新修改时间戳 - 否则不会更改更改 - 这可以通过copy / b javaw.exe + ,,来完成 Windows等效的Linux命令'touch'？

Touch javaw.exe to update the modification timestamp - otherwise changes are not picked up - this can be done with "copy /b javaw.exe +,," see Windows equivalent of the Linux command 'touch'?

这篇关于是否可以使用java.awt.Robot单击Windows UAC对话框？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！