I found a way to make dragonfly actions running inside Dragon interact with Admin applications; technique is at the bottom of the message if you're not interested in the exposition.
After I wrote my last message, I poked at this problem some more because something was bugging me: actions triggered by Dragon's built in grammar do work on applications running as Administrator. (Useful to know because you can "mouse click", "press enter", "type A", "close window" etc on them even when your grammars don't work.)
I had assumed this was because 2 of natspeak.exe's subprocesses (dgnuiasvr.exe and dgnuiasvr_x64.exe - both labeled as "Dragon NaturallySpeaking UI Automation Server") were responsible for actually sending keystrokes, and they were running as administrator. However, turns out they are not running in Elevated (per Task Manager -> Details, if you add the Elevated column) mode. Instead, there's another concept at play here:
UI Privilege levels. Most processes (including natspeak.exe) run at medium privilege level, but dgnuiasvr.exe and dgnuiasvr_x64.exe run at high privilege levels (checked via Sysinternals Process Explorer, process Properties, Security tab, "mandatory label/XXXX" table entry), and that's why they can interact with elevated apps (otherwise windows silently drops the data of postmessage and sendmessage API calls from lower privilege processes to higher privilege processes - unless the higher privilege process
whitelists those types of messages).
How come they get to run at a higher privilege level? Their application manifest (in the exe file) contains a uiAccess="true" section, and their code is signed with a valid signature from a certificate the system trusts, and they live in a "protected location" (program files) which only high privilege apps can write to;
all 3 of those things need to be true for a process to get higher privileges.
natspeak.exe is already 2/3rds of the way there (in a secure location and code-signed by Nuance, but it has uiAccess="false" in its manifest), so we can make it run at a higher privilege level by following these steps.
- Accept: if you continue, you do so at your own risk! This is definitely voiding your warranty, and I take no responsibility for any bad things that may happen.
- Shut down Dragon - make sure natspeak.exe isn't running.
- Make a backup of natspeak.exe (it normally lives at C:\Program Files (x86)\Nuance\NaturallySpeaking15\Program\natspeak.exe ) in case it all goes south.
- Use a hex editor like HxD running as Administrator to open c:\temp\natspeak.exe , update uiAccess="false" to uiAccess="true" , and save the file.
- That last step invalidated the signature on natspeak.exe by changing the file's checksum, so generate a new cert, install it, and sign natspeak.exe yourself: https://gist.github.com/caspark/29a38ebb47cc7b2315c33f71c01ec237
- Start Dragon again; it should be able to interact with elevated apps now, despite not being elevated itself.
Troubleshooting:
- if you get a message of "A referral was returned by the server", the signature on the executable is probably wrong. Confirm that over at natspeak.exe's Properties >> Digital Signatures >> Details.
- Windows seems to cache exe manifests. Rebooting is supposed to clear the cache, but updating the last modified timestamp on the exe is supposedly the only reliable fix. HxD and the code signing steps both update the last modified timestamp, so hopefully you won't run into this, but this tripped me up for a while before I figured it out (I was using another tool to edit the manifest which wasn't updating the last modified timestamp, and that made my unaltered natspeak.exe backup stop working!).
- You can use Sysinternals Process Explorer to check whether or not an app is running with medium or high privileges.
Hope this is helpful to people - it had been bugging me for quite some time now!