Security Considerations: Windows Image Acquisition Automation Layer

  • Article

This document provides information about security considerations related to the Windows Image Acquisition (WIA) Automation Layer. This document does not provide all you need to know about security issues; instead, use it as a starting point and reference for this technology area.

Controls Are Not Safe for Scripting

The WIA Automation Layer is not marked safe for scripting. Therefore, proper functionality depends on your security settings.

Configure Security Settings for ASP Access

Before you can create a DeviceManager object on an .asp page, you must configure the security settings for the WIA Automation Layer. For more information, see How to Configure Security Settings.

Administrator Permission

To function successfully, the RegisterPersistentEvent and UnregisterPersistentEvent methods require Administrator permission. For an example that uses these methods, see Implement a Windows Script Host Script that Runs Automatically in Shared Samples.

Place Registered Applications in Secure Locations

When an application is registered to receive a device event, that application can be run by any user with access to that device. For example, if an application is registered for a scan event, pressing the scan button on a scanner causes that application to run. If the application runs with a higher privilege than the user has, there is a potential security issue.

Do Not Use Underlying Directories or Registry Keys

Windows Image Acquisition (WIA) uses several directories and registry keys internally to store data or information. Do not access these directories or registry keys directly. Instead, use the exposed methods to specify directories for acquired images.