Reported by jteh on 2015-08-06 00:42
Unlike earlier versions of Windows, the Windows 10 lock screen no longer runs on the winlogon secure desktop. Instead, it runs on the default (normal) desktop, but you can't switch apps, bring other windows to the foreground, etc. Unfortunately, this doesn't stop users from exploring other apps with the review cursor, reading/manipulating the clipboard, messing with the user's NVDA configuration, etc. IMO, this is a pretty nasty security issue in Windows itself, but this is apparently what Microsoft have chosen to do.
We can't simply start a secure copy of NVDA, as that would involve restarting the user's normal copy (since this is on the default desktop), which would result in loss of state and potentially be a bit slow. Therefore, we're going to have to somehow disable relevant parts of NVDA.
I think this will basically consist of three parts:
- Preventing the user from object navigating out of the lock screen;
- Blocking all non-essential scripts;
- If we want to allow the synth settings ring commands, creating a temporary configuration which is thrown away when the lock screen goes away.
Reported by jteh on 2015-08-06 00:42
Unlike earlier versions of Windows, the Windows 10 lock screen no longer runs on the winlogon secure desktop. Instead, it runs on the default (normal) desktop, but you can't switch apps, bring other windows to the foreground, etc. Unfortunately, this doesn't stop users from exploring other apps with the review cursor, reading/manipulating the clipboard, messing with the user's NVDA configuration, etc. IMO, this is a pretty nasty security issue in Windows itself, but this is apparently what Microsoft have chosen to do.
We can't simply start a secure copy of NVDA, as that would involve restarting the user's normal copy (since this is on the default desktop), which would result in loss of state and potentially be a bit slow. Therefore, we're going to have to somehow disable relevant parts of NVDA.
I think this will basically consist of three parts: