Manage Elevated Windows

Elevated applications usually run in a higher integrity level than Jwno. As per Windows security requirements, Jwno cannot manage their windows by default. There're two ways to mitigate this though.

1. Run Jwno With a Higher Integrity Level

(This method is strongly discouraged, due to its security implications.)

The first method is to simply start Jwno using Run as administrator. But since Jwno has a full scripting runtime built-in, when its process gets compromised, an attacker may easily use it to execute malicious code.

And, Jwno does not voluntarily drop its elevated state when launching other applications/commands, so everything Jwno launches will have administrative power.

2. Grant Jwno the uiAccess Permission

The uiAccess setting is a flag checked by Windows, to allow assistive applications to interact with UIs in higher integrity levels. Granting Jwno the uiAccess permission won't elevate its process, so it's relatively safer. But you'll need to make use of some external tools (mt.exe and signtool.exe), and generate a self-signed certificate yourself.

To grant Jwno uiAccess permission, follow these steps:

  1. Download this manifest file, locate the line containing uiAccess="false", and change false into true.
  2. Run mt.exe -manifest path\to\jwno.manifest -outputresource:path\to\jwno.exe;#1
  3. Generate a self-signed certificate by running this in Powersell: New-SelfSignedCertificate -Type 'Custom' -Subject 'App Signing for Jwno' -KeyAlgorithm 'RSA' -KeyLength 4096 -CertStoreLocation 'Cert:\CurrentUser\My' -FriendlyName 'App Signing for Jwno'
  4. Sign jwno.exe with the certificate we just generated: signtool.exe sign /a /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /n "App Signing for Jwno" path\to\jwno.exe
  5. Right-click on jwno.exe, select Properties -> Digital Signatures -> App Signing for Jwno -> Details -> View Certificate -> Install Certificate...
  6. Move the signed jwno.exe to a directory in your Program Files directory, for example C:\Program Files\Jwno\jwno.exe.
  7. Launch your signed exe file, and evaluate (:has-uiaccess? (in jwno/context :window-manager)) in Jwno's REPL. Jwno can now manage elevated windows, if the code returns true.

To remove the self-signed certificate, when it's not needed any more, open the Run dialog (e.g. by pressing Win + X then R), and launch certmgr.msc. The certificate can be found in the Personal\Certificates and Trusted Root Certification Authorities\Certificates nodes, unless you selected other locations when generating or installing the certificate. Just search for the name App Signing for Jwno.