From 686ea7cd35b96602078bdf52459089274ac5331d Mon Sep 17 00:00:00 2001
From: Michael Curran <mick@kulgan.net>
Date: Mon, 16 Apr 2012 11:24:15 +1000
Subject: [PATCH] A bit of a re-write to nvdahelper injection and rpc code to
 allow NVDA access to inproc rpc interfaces such as virtualBuffers hosted in
 an appContainer process (e.g. metro app). Assuming NVDA has the UIAccess
 privilidge, virtualBuffers are now available in metro apps such as Store.
 Specific changes:   	* On win8 nvdaHelperLocal registers the nvdaController
 and nvdaControllerInternal interfaces using the new RpcServerRegisterIf3,
 allowing the use of a security descriptor which specifically allows access
 from AppContainer integrity processes. However as the security descriptor
 overrides any defaults, it also for now allows access from any authenticated
 users  -- this could be tightened up. 	* nvdaInprocUtils now has two new
 methods: registerNVDAProcess and unregisterNVDAProcess, plus an rundown
 function for the context handle registerNVDAProcess provides. When injection
 is all initialized, NVDA can call registerNVDAprocess and when it wants the
 inproc code to terminate it can call unregisterNVDAProcess, or just break the
 connection or exit. registerNVDAProcess sets an nvdaUnregisteredEvent to
 nonSignaled, which the inproc code uses to wait on. UnregisterNVDAProcess
 (also called by the rundown if the connection breaks) sets this event to
 signaled to instruct the inproc code to terminate. 	* nvdaHelperRemote:
 remove the injectionDoneEvent and any code that waited on it or the NVDA
 process. Its no longer needed. Note that this did not work in AppContainer
 processes anyway unless a specific security descriptor was set for both the
 NVDA process and the injectionDoneEvent. 	* nvdaHelperRemote: When
 registering its RPC interfaces (nvdaInprocUtils, displayModel and VBuf), use
 RpcUseProtSeq rather than RpcUseProtSeqEp so as to listen on a dynamic
 endpoint rather than a well-known one. AppContainer processes mangled the
 endpoint name anyway. Publish correct dynamic endpoints for each interface
 along with a generated UUID specific to this instance of the inproc code,
 using RpcEpRegister, so that NVDA can locate this processes endpoint by using
 the interface and generated UUID. Finally also call a new
 nvdaControllerInternal method: requestRegistration to ask NVDA to register
 with this inproc code before the call returns. 	* nvdaHelperLocal:
 rename createConnection to createRemoteBindingHandle (which is more true) and
 also set a security descriptor on the created binding handle to allow an
 AppContainer server to talk back to this client -- could be tightened up.
 createRemoteBindingHandle also now takes a uuid parameter which it uses when
 creating the binding handle so its able to locate the correct endpoint. 
 * nvdaControllerInternal: add a new requestRegistration method, which takes a
 UUID string which can be used to locate the caller's own inproc rpc
 interfaces. The implementation of requestRegistration uses the UUID to create
 a bindingHandle for remote access to the inproc code using
 createRemoteBindingHandle, storing it on the appModule which it creates if
 necessary. It also calls registerNVDAProcess so as to retreave a context
 handle from the inproc code that if broken will force the inproc code to
 terminate. This is also stored on the appModule. 	* AppModule.terminate:
 If a registrationhandle exists, destroy it with rpcSsDestroyClientContext. If
 a bindingHandle exists then free it with RpcBindingFree. Destroying both of
 these is enough to ensure the connection with the inproc code breaks and
 therefore the rundown for the registration will run and inproc code will be
 terminated. This is safer than specifically calling unregisterNVDAProcess
 which could freee or may fail if the remote process is busy or shutting down
 or is dead etc. 	* core.initialize: initialize appModuleHandler before
 nvdaHelper as nvdahelper.nvdaControllerInternal_requestRegistration, which
 can happen quite quick, needs the ability to create an appModule.

---
 .../nvdaControllerInternal.acf                     |   2 +-
 .../nvdaControllerInternal.idl                     |   6 +-
 .../interfaces/nvdaInProcUtils/nvdaInProcUtils.acf |   3 +
 .../interfaces/nvdaInProcUtils/nvdaInProcUtils.idl |   5 +
 nvdaHelper/local/nvdaControllerInternal.c          |   6 +-
 nvdaHelper/local/nvdaHelperLocal.cpp               |  41 ++++--
 nvdaHelper/local/nvdaHelperLocal.def               |   6 +-
 nvdaHelper/local/nvdaHelperLocal.h                 |   3 +-
 nvdaHelper/local/rpcSrv.cpp                        |  36 +++++-
 nvdaHelper/local/sconscript                        |   1 +
 nvdaHelper/remote/inProcess.cpp                    |   3 -
 nvdaHelper/remote/injection.cpp                    | 144 +++++++++------------
 nvdaHelper/remote/rpcSrv.cpp                       |  65 +++++++++-
 nvdaHelper/remote/rpcSrv.h                         |   6 +-
 source/NVDAHelper.py                               |  33 ++++-
 source/appModuleHandler.py                         |   8 +-
 source/core.py                                     |   6 +-
 17 files changed, 243 insertions(+), 131 deletions(-)

diff --git a/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.acf b/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.acf
index 15fa72f79..d1187d711 100644
--- a/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.acf
+++ b/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.acf
@@ -16,7 +16,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 	implicit_handle(handle_t nvdaControllerInternalBindingHandle)
 ]
 interface NvdaControllerInternal {
-	[fault_status,comm_status] getNVDAProcessID();
+	[fault_status,comm_status] requestRegistration();
 	[fault_status,comm_status] inputLangChangeNotify();
 	[fault_status,comm_status] typedCharacterNotify();
 	[fault_status,comm_status] displayModelTextChangeNotify();
diff --git a/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.idl b/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.idl
index 06bec7766..462867563 100644
--- a/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.idl
+++ b/nvdaHelper/interfaces/nvdaControllerInternal/nvdaControllerInternal.idl
@@ -35,11 +35,7 @@ cpp_quote("*/")
 ]
 interface NvdaControllerInternal {
 
-/**
- * Gets the process ID of NVDA.
- * @param pProcessID memory where the  retreaved process ID can be placed.
- */
-	error_status_t __stdcall getNVDAProcessID([out] long* pProcessID); 
+	error_status_t __stdcall requestRegistration([in,string] const wchar_t* uuidString);
 
 /**
  * Notifies NVDA that the keyboard layout has changed for this thread. 
diff --git a/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.acf b/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.acf
index ba2ba931e..4cacb9b5d 100644
--- a/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.acf
+++ b/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.acf
@@ -12,7 +12,10 @@ This license can be found at:
 http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 */
 
+[strict_context_handle]
 interface NvdaInProcUtils {
+	[fault_status,comm_status] registerNVDAProcess();
+	[fault_status,comm_status] unregisterNVDAProcess();
 	[fault_status,comm_status] winword_expandToLine();
 	[fault_status,comm_status] winword_getTextInRange();
 }
diff --git a/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.idl b/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.idl
index 8ccddb9b4..045c240e9 100644
--- a/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.idl
+++ b/nvdaHelper/interfaces/nvdaInProcUtils/nvdaInProcUtils.idl
@@ -38,6 +38,11 @@ import "oaidl.idl";
 ]
 interface NvdaInProcUtils {
 
+	typedef [context_handle] void* nvdaRegistrationHandle_t;
+
+	error_status_t registerNVDAProcess([in] handle_t bindingHandle, [out] nvdaRegistrationHandle_t* registrationhandle);
+	error_status_t unregisterNVDAProcess([in,out] nvdaRegistrationHandle_t* registrationhandle);
+
 	error_status_t winword_expandToLine([in] const long windowHandle, [in] const int offset, [out] int* lineStart, [out] int* lineEnd);
 
 	error_status_t winword_getTextInRange([in] const long windowHandle, [in] const int startOffset, [in] const int endOffset, [in] const long formatConfig, [out] BSTR* text); 
diff --git a/nvdaHelper/local/nvdaControllerInternal.c b/nvdaHelper/local/nvdaControllerInternal.c
index f84aee1f7..5f9a85bf4 100644
--- a/nvdaHelper/local/nvdaControllerInternal.c
+++ b/nvdaHelper/local/nvdaControllerInternal.c
@@ -14,9 +14,9 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 
 #include "nvdaControllerInternal.h"
 
-error_status_t __stdcall nvdaControllerInternal_getNVDAProcessID(long* pProcessID) {
-	*pProcessID=GetCurrentProcessId();
-	return RPC_S_OK;
+error_status_t(__stdcall *_nvdaControllerInternal_requestRegistration)(const wchar_t*);
+error_status_t __stdcall nvdaControllerInternal_requestRegistration(const wchar_t* uuidString) {
+	return _nvdaControllerInternal_requestRegistration(uuidString);
 }
 
 error_status_t(__stdcall *_nvdaControllerInternal_inputLangChangeNotify)(const long, const unsigned long, const wchar_t*);
diff --git a/nvdaHelper/local/nvdaHelperLocal.cpp b/nvdaHelper/local/nvdaHelperLocal.cpp
index 12a0ab73e..31f827051 100644
--- a/nvdaHelper/local/nvdaHelperLocal.cpp
+++ b/nvdaHelper/local/nvdaHelperLocal.cpp
@@ -15,6 +15,8 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #include <cstdio>
 #include <sstream>
 #include <algorithm>
+#include <rpc.h>
+#include <sddl.h>
 #include "nvdaHelperLocal.h"
 #include "dllImportTableHooks.h"
 #include "rpcsrv.h"
@@ -22,22 +24,45 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 DllImportTableHooks* oleaccHooks = NULL;
 DllImportTableHooks* uiaCoreHooks = NULL;
 
-handle_t createConnection(int processID) {
+typedef struct _RPC_SECURITY_QOS_V5_W {
+  unsigned long Version;
+  unsigned long Capabilities;
+  unsigned long IdentityTracking;
+  unsigned long ImpersonationType;
+  unsigned long AdditionalSecurityInfoType;
+  union 
+      {
+      RPC_HTTP_TRANSPORT_CREDENTIALS_W *HttpCredentials;
+      } u;
+  void *Sid;
+  unsigned int EffectiveOnly;
+  void *ServerSecurityDescriptor;
+} RPC_SECURITY_QOS_V5_W, *PRPC_SECURITY_QOS_V5_W;
+
+handle_t createRemoteBindingHandle(wchar_t* uuidString) {
 	RPC_STATUS rpcStatus;
-	std::wostringstream addr;
-	addr<<L"ncalrpc:[nvdaHelperRemote_"<<processID<<L"]";
+	RPC_WSTR stringBinding;
+	if((rpcStatus=RpcStringBindingCompose((RPC_WSTR)uuidString,(RPC_WSTR)L"ncalrpc",NULL,NULL,NULL,&stringBinding))!=RPC_S_OK) {
+		fprintf(stderr,"RpcStringBindingCompose failed, rpc code 0X%X\n",rpcStatus);
+		return NULL;
+	}
 	handle_t bindingHandle;
-	if((rpcStatus=RpcBindingFromStringBinding((RPC_WSTR)(addr.str().c_str()),&bindingHandle))!=RPC_S_OK) {
+	if((rpcStatus=RpcBindingFromStringBinding(stringBinding,&bindingHandle))!=RPC_S_OK) {
 		fprintf(stderr,"Error creating binding handle from string binding, rpc code 0X%X\n",rpcStatus);
 		return NULL;
 	} 
+	PSECURITY_DESCRIPTOR psd=NULL;
+	ULONG size;
+	if(!ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;AU)(A;;GA;;;AC)",SDDL_REVISION_1,&psd,&size)) {
+		return NULL;
+	}
+	RPC_SECURITY_QOS_V5_W securityQos={5,0,0,0,0,NULL,NULL,0,psd};
+	if(RpcBindingSetAuthInfoEx(bindingHandle,NULL,RPC_C_AUTHN_LEVEL_DEFAULT,RPC_C_AUTHN_DEFAULT,NULL,0,(RPC_SECURITY_QOS*)&securityQos)!=RPC_S_OK) {
+		return NULL;
+	}
 	return bindingHandle;
 }
 
-void destroyConnection(handle_t bindingHandle) {
-	RpcBindingFree(&bindingHandle);
-}
-
 bool shouldCancelSendMessage;
 const UINT CANCELSENDMESSAGE_CHECK_INTERVAL = 400;
 
diff --git a/nvdaHelper/local/nvdaHelperLocal.def b/nvdaHelper/local/nvdaHelperLocal.def
index 1c6592935..424265a51 100644
--- a/nvdaHelper/local/nvdaHelperLocal.def
+++ b/nvdaHelper/local/nvdaHelperLocal.def
@@ -1,12 +1,13 @@
 EXPORTS
-	createConnection
-	destroyConnection
+	createRemoteBindingHandle
 	cancellableSendMessageTimeout
 	cancelSendMessage
 	_notifySendMessageCancelled
 	nvdaHelperLocal_initialize
 	nvdaHelperLocal_terminate
 	generateBeep
+	nvdaInProcUtils_registerNVDAProcess
+	nvdaInProcUtils_unregisterNVDAProcess
 	nvdaInProcUtils_winword_expandToLine
 	nvdaInProcUtils_winword_getTextInRange
 	VBuf_createBuffer
@@ -25,6 +26,7 @@ EXPORTS
 	VBuf_locateControlFieldNodeAtOffset
 	VBuf_locateTextFieldNodeAtOffset
 	VBuf_setSelectionOffsets
+	_nvdaControllerInternal_requestRegistration
 	_nvdaControllerInternal_displayModelTextChangeNotify
 	_nvdaControllerInternal_inputLangChangeNotify
 	_nvdaControllerInternal_logMessage
diff --git a/nvdaHelper/local/nvdaHelperLocal.h b/nvdaHelper/local/nvdaHelperLocal.h
index 9d4a0144d..a9ee2fce3 100755
--- a/nvdaHelper/local/nvdaHelperLocal.h
+++ b/nvdaHelper/local/nvdaHelperLocal.h
@@ -16,8 +16,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #define NVDAHELPERLOCAL_H
 #include <rpc.h>
 
-handle_t createConnection(int processID);
-void destroyConnection(handle_t bindingHandle);
+handle_t createRemoteBindingHandle(wchar_t* uuidString);
 LRESULT cancellableSendMessageTimeout(HWND hwnd, UINT Msg, WPARAM wParam, LPARAM lParam, UINT fuFlags, UINT uTimeout, PDWORD_PTR lpdwResult);
 void cancelSendMessage();
 void nvdaHelperLocal_initialize();
diff --git a/nvdaHelper/local/rpcSrv.cpp b/nvdaHelper/local/rpcSrv.cpp
index 9b9ee0427..ef8ae15ee 100644
--- a/nvdaHelper/local/rpcSrv.cpp
+++ b/nvdaHelper/local/rpcSrv.cpp
@@ -15,6 +15,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #include <cstdio>
 #include <sstream>
 #include <rpc.h>
+#include <sddl.h>
 #include "nvdaController.h"
 #include "nvdaControllerInternal.h"
 #include <common/winIPCUtils.h>
@@ -22,6 +23,8 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 
 using namespace std;
 
+typedef RPC_STATUS(RPC_ENTRY *RpcServerRegisterIf3_functype)(RPC_IF_HANDLE,UUID __RPC_FAR*,RPC_MGR_EPV __RPC_FAR*,unsigned int,unsigned int,unsigned int,RPC_IF_CALLBACK_FN __RPC_FAR*,void __RPC_FAR*);
+
 RPC_IF_HANDLE availableInterfaces[]={
 	nvdaController_NvdaController_v1_0_s_ifspec,
 	nvdaControllerInternal_NvdaControllerInternal_v1_0_s_ifspec
@@ -40,22 +43,41 @@ void __RPC_USER midl_user_free(void* p) {
 
 RPC_STATUS startServer() {
 	RPC_STATUS status;
-	//Set the protocol
 	wchar_t desktopSpecificNamespace[64];
 	generateDesktopSpecificNamespace(desktopSpecificNamespace,ARRAYSIZE(desktopSpecificNamespace));
-	wstringstream endpointStringStream;
-	endpointStringStream<<L"NvdaCtlr."<<desktopSpecificNamespace;
-	status=RpcServerUseProtseqEp((RPC_WSTR)L"ncalrpc",RPC_C_PROTSEQ_MAX_REQS_DEFAULT,(RPC_WSTR)(endpointStringStream.str().c_str()),NULL);
+	wstring endpointString=L"NvdaCtlr.";
+	endpointString+=desktopSpecificNamespace;
+	//On Windows 8 the new rpcServerRegisterIf3 must be used along with a security descriptor allowing appContainer access
+	HANDLE rpcrt4Handle=GetModuleHandle(L"rpcrt4.dll");
+	RpcServerRegisterIf3_functype RpcServerRegisterIf3=(RpcServerRegisterIf3_functype)GetProcAddress((HMODULE)rpcrt4Handle,"RpcServerRegisterIf3");
+	PSECURITY_DESCRIPTOR psd=NULL;
+	ULONG size;
+	if(RpcServerRegisterIf3) {
+		if(!ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;AU)(A;;GA;;;AC)",SDDL_REVISION_1,&psd,&size)) {
+			return GetLastError();
+		}
+		if(!psd) return -1;
+	}
+	status=RpcServerUseProtseqEp((RPC_WSTR)L"ncalrpc",RPC_C_PROTSEQ_MAX_REQS_DEFAULT,(RPC_WSTR)(endpointString.c_str()),psd);
 	//We can ignore the error where the endpoint is already set
 	if(status!=RPC_S_OK&&status!=RPC_S_DUPLICATE_ENDPOINT) {
 		return status;
 	}
 	//Register the interfaces
-	for(int i=0;i<ARRAYSIZE(availableInterfaces);i++) {
-		if((status=RpcServerRegisterIf(availableInterfaces[i],NULL,NULL))!=RPC_S_OK) {
-			return status;
+	if(RpcServerRegisterIf3) { //Windows 8
+		for(int i=0;i<ARRAYSIZE(availableInterfaces);i++) {
+			if((status=RpcServerRegisterIf3(availableInterfaces[i],NULL,NULL,RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH,RPC_C_LISTEN_MAX_CALLS_DEFAULT,0,NULL,psd))!=RPC_S_OK) {
+				return status;
+			}
+		}
+	} else { // Pre Windows 8
+		for(int i=0;i<ARRAYSIZE(availableInterfaces);i++) {
+			if((status=RpcServerRegisterIf(availableInterfaces[i],NULL,NULL))!=RPC_S_OK) {
+				return status;
+			}
 		}
 	}
+	LocalFree(psd);
 	//Start listening
 	if((status=RpcServerListen(1,RPC_C_LISTEN_MAX_CALLS_DEFAULT,TRUE))!=RPC_S_OK) {
 		return status;
diff --git a/nvdaHelper/local/sconscript b/nvdaHelper/local/sconscript
index 4ffe9e616..d3448b721 100644
--- a/nvdaHelper/local/sconscript
+++ b/nvdaHelper/local/sconscript
@@ -86,6 +86,7 @@ localLib=env.SharedLibrary(
 		"textUtils.cpp",
 	],
 	LIBS=[
+		"advapi32.lib",
 		"user32",
 		"usp10",
 		"ole32",
diff --git a/nvdaHelper/remote/inProcess.cpp b/nvdaHelper/remote/inProcess.cpp
index 7867f52a5..271a5e0ea 100755
--- a/nvdaHelper/remote/inProcess.cpp
+++ b/nvdaHelper/remote/inProcess.cpp
@@ -18,7 +18,6 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #include <map>
 #define WIN32_LEAN_AND_MEAN 
 #include <windows.h>
-#include "rpcSrv.h"
 #include "winword.h"
 #include "inputLangChange.h"
 #include "typedCharacter.h"
@@ -45,11 +44,9 @@ void inProcess_initialize() {
 	inputLangChange_inProcess_initialize();
 	winword_inProcess_initialize();
 	gdiHooks_inProcess_initialize();
-	rpcSrv_inProcess_initialize();
 }
 
 void inProcess_terminate() {
-	rpcSrv_inProcess_terminate();
 	gdiHooks_inProcess_terminate();
 	winword_inProcess_terminate();
 	inputLangChange_inProcess_terminate();
diff --git a/nvdaHelper/remote/injection.cpp b/nvdaHelper/remote/injection.cpp
index cc3442ab1..78026bb84 100644
--- a/nvdaHelper/remote/injection.cpp
+++ b/nvdaHelper/remote/injection.cpp
@@ -18,6 +18,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #define WIN32_LEAN_AND_MEAN 
 #include <windows.h>
 #include <shlwapi.h>
+#include <sddl.h>
 #include "log.h"
 #include "ia2Support.h"
 #include "apiHook.h"
@@ -28,6 +29,7 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #include "dllmain.h"
 #include "nvdaHelperRemote.h"
 #include "inProcess.h"
+#include "rpcSrv.h"
 
 using namespace std;
 
@@ -101,79 +103,63 @@ DWORD WINAPI inprocMgrThreadFunc(LPVOID data) {
 	HINSTANCE tempHandle=NULL;
 	if(!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,(LPCTSTR)dllHandle,&tempHandle)) {
 		LOG_ERROR(L"GetModuleHandleEx failed, GetLastError returned "<<GetLastError());
+		ReleaseMutex(threadMutex);
 		return 0;
 	}
 	nhAssert(dllHandle==tempHandle);
-	//Try to open handles to both the injectionDone event and NVDA's process handle
-		HANDLE waitHandles[2]={0};
-	long nvdaProcessID=0;
-	nvdaControllerInternal_getNVDAProcessID(&nvdaProcessID);
-	if(nvdaProcessID>0) {
-		waitHandles[0]=OpenProcess(SYNCHRONIZE,FALSE,nvdaProcessID);
-		wstringstream s;
-		s<<L"nvdaHelperRemote_injectionDoneEvent_"<<desktopSpecificNamespace;
-		waitHandles[1]=OpenEvent(SYNCHRONIZE,FALSE,s.str().c_str());
+	//Register for all winEvents in this process.
+	inprocWinEventHookID=SetWinEventHook(EVENT_MIN,EVENT_MAX,dllHandle,inproc_winEventCallback,GetCurrentProcessId(),0,WINEVENT_INCONTEXT);
+	if(inprocWinEventHookID==0) {
+		LOG_ERROR(L"SetWinEventHook failed");
 	}
-	//As long as we have successfully retreaved handles for NVDA's process and the event, then go on and initialize, wait and terminate.
-	if(waitHandles[0]&&waitHandles[1]) {
-		//Register for all winEvents in this process.
-		inprocWinEventHookID=SetWinEventHook(EVENT_MIN,EVENT_MAX,dllHandle,inproc_winEventCallback,GetCurrentProcessId(),0,WINEVENT_INCONTEXT);
-		if(inprocWinEventHookID==0) {
-			LOG_ERROR(L"SetWinEventHook failed");
+	//Initialize API hooking
+	apiHook_initialize();
+//Fore secure mode NVDA process, hook OpenClipboard to disable usage of the clipboard
+if(isSecureModeNVDAProcess) real_OpenClipboard=apiHook_hookFunction_safe("USER32.dll",OpenClipboard,fake_OpenClipboard);
+	//Initialize in-process subsystems
+	inProcess_initialize();
+	//Enable all registered API hooks
+	apiHook_enableHooks();
+	//Initialize our rpc server interfaces and request registration with NVDA
+	rpcSrv_initialize();
+	//Notify injection_winEventCallback (who started our thread) that we're past initialization
+	SetEvent((HANDLE)data);
+	//Wait until nvda unregisters
+	#ifndef NDEBUG
+	Beep(660,75);
+	#endif
+	// Even though we only registered for in-context winEvents, we may still receive some out-of-context events; e.g. console events.
+	// Therefore, we must have a message loop.
+	// Otherwise, any out-of-context events will cause major lag which increases over time.
+	do {
+		// Consume and handle all pending messages.
+		MSG msg;
+		while(PeekMessage(&msg,NULL,0,0,PM_REMOVE)) {
+			TranslateMessage(&msg);
+			DispatchMessage(&msg);
 		}
-		//Initialize API hooking
-		apiHook_initialize();
-	//Fore secure mode NVDA process, hook OpenClipboard to disable usage of the clipboard
-	if(isSecureModeNVDAProcess) real_OpenClipboard=apiHook_hookFunction_safe("USER32.dll",OpenClipboard,fake_OpenClipboard);
-		//Initialize in-process subsystems
-		inProcess_initialize();
-		//Enable all registered API hooks
-		apiHook_enableHooks();
-		//Notify injection_winEventCallback (who started our thread) that we're past initialization
-		SetEvent((HANDLE)data);
-		//Wait till either the injection done event is set, or NVDA's process dies
-		#ifndef NDEBUG
-		Beep(660,75);
-		#endif
-		// Even though we only registered for in-context winEvents, we may still receive some out-of-context events; e.g. console events.
-		// Therefore, we must have a message loop.
-		// Otherwise, any out-of-context events will cause major lag which increases over time.
-		do {
-			// Consume and handle all pending messages.
-			MSG msg;
-			while(PeekMessage(&msg,NULL,0,0,PM_REMOVE)) {
-				TranslateMessage(&msg);
-				DispatchMessage(&msg);
-			}
-		} while(MsgWaitForMultipleObjects(2,waitHandles,FALSE,INFINITE,QS_ALLINPUT)==WAIT_OBJECT_0+2);
-		nhAssert(inprocMgrThreadHandle);
-		inprocThreadsLock.acquire();
-		CloseHandle(inprocMgrThreadHandle);
-		inprocMgrThreadHandle=NULL;
-		inprocThreadsLock.release();
-		#ifndef NDEBUG
-		Beep(1320,75);
-		#endif
-		//Unregister and terminate API hooks
-		apiHook_terminate();
-		//Terminate all in-process subsystems.
-		inProcess_terminate();
-		//Unregister winEvents for this process
-		if(inprocWinEventHookID) { 
-			UnhookWinEvent(inprocWinEventHookID);
-			inprocWinEventHookID=0;
-		}
-		//Unregister any windows hooks registered so far
-		killRunningWindowsHooks();
-	} else {
-		nhAssert(inprocMgrThreadHandle);
-		inprocThreadsLock.acquire();
-		CloseHandle(inprocMgrThreadHandle);
-		inprocMgrThreadHandle=NULL;
-		inprocThreadsLock.release();
+	} while(MsgWaitForMultipleObjects(1,&nvdaUnregisteredEvent,FALSE,INFINITE,QS_ALLINPUT)==WAIT_OBJECT_0+1);
+	nhAssert(inprocMgrThreadHandle);
+	inprocThreadsLock.acquire();
+	CloseHandle(inprocMgrThreadHandle);
+	inprocMgrThreadHandle=NULL;
+	inprocThreadsLock.release();
+	#ifndef NDEBUG
+	Beep(1320,75);
+	#endif
+	//Terminate our RPC server interfaces
+	rpcSrv_terminate();
+	//Unregister and terminate API hooks
+	apiHook_terminate();
+	//Terminate all in-process subsystems.
+	inProcess_terminate();
+	//Unregister winEvents for this process
+	if(inprocWinEventHookID) { 
+		UnhookWinEvent(inprocWinEventHookID);
+		inprocWinEventHookID=0;
 	}
-	if(waitHandles[0]) CloseHandle(waitHandles[0]);
-	if(waitHandles[1]) CloseHandle(waitHandles[1]);
+	//Unregister any windows hooks registered so far
+	killRunningWindowsHooks();
 	//Release and close the thread mutex
 	ReleaseMutex(threadMutex);
 	CloseHandle(threadMutex);
@@ -269,7 +255,6 @@ DWORD WINAPI outprocMgrThreadFunc(LPVOID data) {
 HANDLE outprocMgrThreadHandle=NULL;
 DWORD outprocMgrThreadID=0;
 BOOL outprocInitialized=FALSE;
-HANDLE injectionDoneEvent=NULL;
 
 /**
  * Initializes the out-of-process code for NVDAHelper 
@@ -286,14 +271,6 @@ BOOL injection_initialize(int secureMode) {
 		MessageBox(NULL,L"Error initializing IA2 support",L"nvdaHelperRemote (injection_initialize)",0);
 		return FALSE;
 	}
-	nhAssert(!injectionDoneEvent);
-	{
-		wstringstream s;
-		s<<L"nvdaHelperRemote_injectionDoneEvent_"<<desktopSpecificNamespace;
-		injectionDoneEvent=CreateEvent(NULL,TRUE,FALSE,s.str().c_str());
-	}
-	nhAssert(injectionDoneEvent);
-	ResetEvent(injectionDoneEvent);
 	outprocMgrThreadHandle=CreateThread(NULL,0,outprocMgrThreadFunc,NULL,0,&outprocMgrThreadID);
 	outprocInitialized=TRUE;
 	return TRUE;
@@ -310,10 +287,6 @@ BOOL injection_terminate() {
 	}
 	outprocMgrThreadHandle=NULL;
 	outprocMgrThreadID=0;
-	nhAssert(injectionDoneEvent);
-	SetEvent(injectionDoneEvent);
-	CloseHandle(injectionDoneEvent);
-	injectionDoneEvent=NULL;
 	outprocInitialized=FALSE;
 	return TRUE;
 }
@@ -332,10 +305,13 @@ BOOL WINAPI DllMain(HINSTANCE hModule,DWORD reason,LPVOID lpReserved) {
 		PathRemoveFileSpec(dllDirectory);
 		generateDesktopSpecificNamespace(desktopSpecificNamespace,ARRAYSIZE(desktopSpecificNamespace));
 		//Initialize some needed RPC binding handles.
-		wstringstream s;
-		s<<L"ncalrpc:[NvdaCtlr."<<desktopSpecificNamespace<<L"]";
-		RpcBindingFromStringBinding((RPC_WSTR)(s.str().c_str()),&nvdaControllerBindingHandle);
-		RpcBindingFromStringBinding((RPC_WSTR)(s.str().c_str()),&nvdaControllerInternalBindingHandle);
+		wstring endpoint=L"NvdaCtlr.";
+		endpoint+=desktopSpecificNamespace;
+		RPC_WSTR stringBinding;
+		RpcStringBindingCompose(NULL,(RPC_WSTR)L"ncalrpc",NULL,(RPC_WSTR)(endpoint.c_str()),NULL,&stringBinding);
+		RpcBindingFromStringBinding(stringBinding,&nvdaControllerBindingHandle);
+		RpcBindingFromStringBinding(stringBinding,&nvdaControllerInternalBindingHandle);
+		RpcStringFree(&stringBinding);
 	} else if(reason==DLL_PROCESS_DETACH) {
 		#ifndef NDEBUG
 		Beep(1760,75);
diff --git a/nvdaHelper/remote/rpcSrv.cpp b/nvdaHelper/remote/rpcSrv.cpp
index 3f40edafd..0a03a4df7 100755
--- a/nvdaHelper/remote/rpcSrv.cpp
+++ b/nvdaHelper/remote/rpcSrv.cpp
@@ -15,13 +15,17 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #include <cstdio>
 #include <sstream>
 #include <rpc.h>
+#include <sddl.h>
 #include "nvdaControllerInternal.h"
 #include "log.h"
 #include "vbufRemote.h"
 #include "displayModelRemote.h"
-#include "nvdaInProcUtils.h"
+#include "NvdaInProcUtils.h"
+#include "nvdaControllerInternal.h"
 #include "rpcSrv.h"
 
+typedef RPC_STATUS(RPC_ENTRY *RpcServerRegisterIf3_functype)(RPC_IF_HANDLE,UUID __RPC_FAR*,RPC_MGR_EPV __RPC_FAR*,unsigned int,unsigned int,unsigned int,RPC_IF_CALLBACK_FN __RPC_FAR*,void __RPC_FAR*);
+
 RPC_IF_HANDLE availableInterfaces[]={
 	nvdaInProcUtils_NvdaInProcUtils_v1_0_s_ifspec,
 	displayModelRemote_DisplayModel_v1_0_s_ifspec,
@@ -38,28 +42,75 @@ void __RPC_USER midl_user_free(void* p) {
 	free(p);
 }
 
-void rpcSrv_inProcess_initialize() {
+HANDLE nvdaUnregisteredEvent=NULL;
+RPC_BINDING_VECTOR* bindingVector;
+UUID nvdaInprocUuid;
+
+RPC_STATUS rpcSrv_initialize() {
+	nvdaUnregisteredEvent=CreateEvent(NULL,TRUE,false,NULL);
 	RPC_STATUS status;
 	//Set the protocol
-	std::wostringstream endPoint;
-	endPoint<<L"nvdaHelperRemote_"<<GetCurrentProcessId();
-	status=RpcServerUseProtseqEp((RPC_WSTR)L"ncalrpc",RPC_C_PROTSEQ_MAX_REQS_DEFAULT,(RPC_WSTR)(endPoint.str().c_str()),NULL);
+	status=RpcServerUseProtseq((RPC_WSTR)L"ncalrpc",RPC_C_PROTSEQ_MAX_REQS_DEFAULT,NULL);
+	//We can ignore the error where the endpoint is already set
 	if(status!=RPC_S_OK&&status!=RPC_S_DUPLICATE_ENDPOINT) {
-		LOG_ERROR(L"RpcServerUseProtseqEp failed with status "<<status);
+		LOG_ERROR(L"Unable to use RPC endPoint. RPC error "<<status); 
+		return status;
+	}
+	if((status=RpcServerInqBindings(&bindingVector))!=RPC_S_OK) {
+		LOG_ERROR(L"RpcServerInqBindings failed with status "<<status);
+		return status;
 	}
+	UuidCreate(&nvdaInprocUuid);
+	UUID_VECTOR nvdaInprocUuidVector={1,&nvdaInprocUuid};
 	//Register the interfaces
 	for(int i=0;i<ARRAYSIZE(availableInterfaces);++i) {
 		if((status=RpcServerRegisterIfEx(availableInterfaces[i],NULL,NULL,RPC_IF_AUTOLISTEN,RPC_C_LISTEN_MAX_CALLS_DEFAULT,NULL))!=RPC_S_OK) {
 			LOG_ERROR(L"RpcServerRegisterIfEx for interface at index "<<i<<L" failed with status "<<status);
+			continue;
 		}
+		if((status=RpcEpRegister(availableInterfaces[i],bindingVector,&nvdaInprocUuidVector,(RPC_WSTR)L"NVDAHelperRemote interface"))!=RPC_S_OK) {
+			LOG_ERROR(L"RpcEpRegister failed for interface at index "<<i<<L" with status "<<status);
+			continue;
+		}
+	}
+	RPC_WSTR uuidString;
+	UuidToString(&nvdaInprocUuid,&uuidString);
+	RpcBindingSetObject(nvdaControllerInternalBindingHandle,&nvdaInprocUuid);
+	if((status=nvdaControllerInternal_requestRegistration((wchar_t*)uuidString))!=RPC_S_OK) {
+		LOG_ERROR(L"nvdaControllerInternal_requestRegistration failed with status "<<status);
 	}
+	RpcStringFree(&uuidString);
+	return status;
 }
 
-void rpcSrv_inProcess_terminate() {
+void rpcSrv_terminate() {
 	RPC_STATUS status;
+	CloseHandle(nvdaUnregisteredEvent);
+	nvdaUnregisteredEvent=NULL;
+	UUID_VECTOR nvdaInprocUuidVector={1,&nvdaInprocUuid};
 	for(int i=0;i<ARRAYSIZE(availableInterfaces);++i) {
+		if((status=RpcEpUnregister(availableInterfaces[i],bindingVector,&nvdaInprocUuidVector))!=RPC_S_OK) {
+			LOG_ERROR(L"RpcEpUnregister failed for interface at index "<<i<<L" with status "<<status);
+		}
 		if((status=RpcServerUnregisterIfEx(availableInterfaces[i],NULL,1))!=RPC_S_OK) {
 			LOG_ERROR(L"RpcServerUnregisterIfEx for interface at index "<<i<<L" failed with status "<<status);
 		}
 	}
+	RpcBindingVectorFree(&bindingVector);
+}
+
+error_status_t nvdaInProcUtils_registerNVDAProcess(handle_t bindingHandle, nvdaRegistrationHandle_t* registrationHandle) {
+	ResetEvent(nvdaUnregisteredEvent);
+	*registrationHandle=&nvdaUnregisteredEvent;
+	return RPC_S_OK;
+}
+
+error_status_t nvdaInProcUtils_unregisterNVDAProcess(nvdaRegistrationHandle_t* registrationHandle) {
+	SetEvent(nvdaUnregisteredEvent);
+	*registrationHandle=NULL;
+	return RPC_S_OK;
+}
+
+void __RPC_USER nvdaRegistrationHandle_t_rundown(nvdaRegistrationHandle_t registrationHandle) {
+	nvdaInProcUtils_unregisterNVDAProcess(&registrationHandle);
 }
diff --git a/nvdaHelper/remote/rpcSrv.h b/nvdaHelper/remote/rpcSrv.h
index 839bfeb9b..73258d705 100644
--- a/nvdaHelper/remote/rpcSrv.h
+++ b/nvdaHelper/remote/rpcSrv.h
@@ -15,7 +15,9 @@ http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 #ifndef RPCSRV_H
 #define RPCSRV_H
 
-void rpcSrv_inProcess_initialize();
-void rpcSrv_inProcess_terminate();
+extern HANDLE nvdaUnregisteredEvent;
+
+RPC_STATUS rpcSrv_initialize();
+void rpcSrv_terminate();
 
 #endif
diff --git a/source/NVDAHelper.py b/source/NVDAHelper.py
index 23880d138..bfc7493dc 100755
--- a/source/NVDAHelper.py
+++ b/source/NVDAHelper.py
@@ -1,9 +1,11 @@
 import os
+import sys
 import _winreg
 import msvcrt
 import winKernel
 
 from ctypes import *
+from ctypes.wintypes import *
 from comtypes import BSTR
 import winUser
 import eventHandler
@@ -68,6 +70,31 @@ def _lookupKeyboardLayoutNameWithHexString(layoutString):
 		log.debugWarning("Could not find reg value 'Layout Text' for reg key %s"%layoutString)
 		return None
 
+@WINFUNCTYPE(c_long,c_wchar_p)
+def nvdaControllerInternal_requestRegistration(uuidString):
+	pid=c_long()
+	windll.rpcrt4.I_RpcBindingInqLocalClientPID(None,byref(pid))
+	pid=pid.value
+	if not pid:
+		log.error("Could not get process ID for RPC call")
+		return -1;
+	import appModuleHandler
+	mod=appModuleHandler.getAppModuleFromProcessID(pid)
+	bindingHandle=c_void_p()
+	bindingHandle.value=localLib.createRemoteBindingHandle(uuidString)
+	if not bindingHandle: 
+		log.error("Could not bind to inproc rpc server for pid %d"%pid)
+		return -1
+	registrationHandle=c_long()
+	res=localLib.nvdaInProcUtils_registerNVDAProcess(bindingHandle,byref(registrationHandle))
+	if res!=0 or not registrationHandle:
+		log.error("Could not register NVDA with inproc rpc server for pid %d, res %d, registrationHandle %s"%(pid,res,registrationHandle))
+		windll.rpcrt4.RpcBindingFree(byref(bindingHandle))
+		return -1
+	mod.helperLocalBindingHandle=bindingHandle
+	mod._inprocRegistrationHandle=registrationHandle
+	return 0
+
 @WINFUNCTYPE(c_long,c_long,c_long,c_long,c_long,c_long)
 def nvdaControllerInternal_displayModelTextChangeNotify(hwnd, left, top, right, bottom):
 	import displayModel
@@ -167,6 +194,7 @@ def initialize():
 		("nvdaController_speakText",nvdaController_speakText),
 		("nvdaController_cancelSpeech",nvdaController_cancelSpeech),
 		("nvdaController_brailleMessage",nvdaController_brailleMessage),
+		("nvdaControllerInternal_requestRegistration",nvdaControllerInternal_requestRegistration),
 		("nvdaControllerInternal_inputLangChangeNotify",nvdaControllerInternal_inputLangChangeNotify),
 		("nvdaControllerInternal_typedCharacterNotify",nvdaControllerInternal_typedCharacterNotify),
 		("nvdaControllerInternal_displayModelTextChangeNotify",nvdaControllerInternal_displayModelTextChangeNotify),
@@ -174,8 +202,9 @@ def initialize():
 	]:
 		try:
 			_setDllFuncPointer(localLib,"_%s"%name,func)
-		except AttributeError:
-			log.error("nvdaHelperLocal function pointer for %s could not be found, possibly old nvdaHelperLocal dll"%name)
+		except AttributeError as e:
+			log.error("nvdaHelperLocal function pointer for %s could not be found, possibly old nvdaHelperLocal dll"%name,exc_info=True)
+			raise e
 	localLib.nvdaHelperLocal_initialize()
 	generateBeep=localLib.generateBeep
 	generateBeep.argtypes=[c_char_p,c_float,c_uint,c_ubyte,c_ubyte]
diff --git a/source/appModuleHandler.py b/source/appModuleHandler.py
index 4a8bcbfa2..b5326d312 100644
--- a/source/appModuleHandler.py
+++ b/source/appModuleHandler.py
@@ -196,13 +196,14 @@ class AppModule(baseObject.ScriptableObject):
 		#: The ID of the process this appModule is for.
 		#: @type: int
 		self.processID=processID
-		self.helperLocalBindingHandle=NVDAHelper.localLib.createConnection(processID)
 		if appName is None:
 			appName=getAppNameFromProcessID(processID)
 		#: The application name.
 		#: @type: str
 		self.appName=appName
 		self.processHandle=winKernel.openProcess(winKernel.SYNCHRONIZE,False,processID)
+		self.helperLocalBindingHandle=None
+		self._inprocRegistrationHandle=None
 
 	def __repr__(self):
 		return "<%r (appName %r, process ID %s) at address %x>"%(self.appModuleName,self.appName,self.processID,id(self))
@@ -219,7 +220,10 @@ class AppModule(baseObject.ScriptableObject):
 		Subclasses should call the superclass method first.
 		"""
 		winKernel.closeHandle(self.processHandle)
-		NVDAHelper.localLib.destroyConnection(self.helperLocalBindingHandle)
+		if self._inprocRegistrationHandle:
+			ctypes.windll.rpcrt4.RpcSsDestroyClientContext(ctypes.byref(self._inprocRegistrationHandle))
+		if self.helperLocalBindingHandle:
+			ctypes.windll.rpcrt4.RpcBindingFree(ctypes.byref(self.helperLocalBindingHandle))
 
 	def chooseNVDAObjectOverlayClasses(self, obj, clsList):
 		"""Choose NVDAObject overlay classes for a given NVDAObject.
diff --git a/source/core.py b/source/core.py
index 7c428ae18..e271d42df 100644
--- a/source/core.py
+++ b/source/core.py
@@ -172,6 +172,9 @@ This initializes all modules such as audio, IAccessible, keyboard, mouse, and GU
 	log.info("Using Python version %s"%sys.version)
 	log.info("Using comtypes version %s"%comtypes.__version__)
 	log.debug("Creating wx application instance")
+	import appModuleHandler
+	log.debug("Initializing appModule Handler")
+	appModuleHandler.initialize()
 	import NVDAHelper
 	log.debug("Initializing NVDAHelper")
 	NVDAHelper.initialize()
@@ -226,9 +229,6 @@ This initializes all modules such as audio, IAccessible, keyboard, mouse, and GU
 		locale.Init(lang,wxLang)
 	except:
 		pass
-	import appModuleHandler
-	log.debug("Initializing appModule Handler")
-	appModuleHandler.initialize()
 	import api
 	import winUser
 	import NVDAObjects.window
-- 
2.11.0