I was wondering what would happen if one tried to impersonate the AppID of the common applications i.e. run my own application and change its AppID to that of a well-known application during run-time. Kinda lame, I know.

To test it, I wrote a quick PoC that uses SetCurrentProcessExplicitAppUserModelID API to pretend it is Internet Explorer, Remote Desktop and Sticky Notes using their respective AppIDs. I also added the AppID for Notepad – while it doesn’t have a standard AppID like the 3 other applications I just wanted to show that we can still enforce the AppID association using Notepad’s normalized path {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (for details see my older post about AppIDs).

Here’s a list of AppIDs used:

• Internet Explorer – Microsoft.InternetExplorer.Default
• Remote Desktop – Microsoft.Windows.RemoteDesktop
• Sticky Notes – Microsoft.Windows.StickyNotes
• Notepad – {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe

I pinned all these 4 applications to the Taskbar on Windows 8.1. and then ran my test application, pausing it each time I changed the AppID to take a screenshot I got the result combined on the below picture. Not surprisingly anytime I changed the AppID a different pinned taskbar icon got highlighted (the test application needs to do some GUI operation for it to work; it can simply show a message box).

This is quite a tiny level of impersonation – hard to really come up with some really useful scenarios here – perhaps one could use it to enforce social engineering attempts (e.g. escalation of privileges triggered by malware while pretending to be from some legitimate Windows application, or perhaps AV) ? But aren’t existing GUI manipulation tricks better than that? Oh well, trivial is trivial.