trusted Path

David Hopwood wrote: If any random user application can scribble over "trusted" dialogs, it's not a trusted path, period. This needs to be shouted from the rooftops, otherwise MS's marketing will win out by default. It's a problem only if the click in the overlay window gets passed through to the window underneath. I don't believe that happens, but it is Microsoft, so you never know. With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels. - Desktop window, which actually owns the screen surface So you can scribble anywhere on the screen, "above" other windows (by drawing on the DC returned by GetDC(NULL)) without needing an overlay window. Yes, this is a documented "feature" that is still intended to work on Vista: http://blogs.msdn.com/nickkramer/archive/2006/04/07/571162.aspx. It appears that this has now been fixed, by displaying UIPI prompts on the same desktop as used for the logon prompt; see the entry for May 3 at http://blogs.msdn.com/uac/. Oh, but hang on: there's still a very effective social engineering attack, where malicious software can convince you to enter your Administrator password on something that *looks* like the Secure Desktop, but is actually the normal desktop. Without a secure attention key combination (and user training not to enter passwords without having pressed this combination), it's difficult to see how to avoid this.