User Interface Privilege Isolation

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages).^[1]

Window messages are designed to communicate user action to processes. However, they can be used to run arbitrary code in the receiving process' context. This could be used by a malicious low-privilege processes to run arbitrary code in the context of a higher-privilege process, which constitutes an unauthorized privilege escalation. By restricting the ability of lower-privileged processes to send window messages to higher-privileged processes, UIPI can mitigate these kinds of attacks.^[2]

UIPI, and Mandatory Integrity Control more generally, is a security feature but not a security boundary.^[3]

Microsoft Office 2010 uses UIPI for its Protected View sandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.^[4]