[API Suggestion][Security] Add ExcludeFromScreenCapture API to Forms/Controls

[KlausLoeffelmann]

TL;DR

With the rise of continuous screen capture tools for AI analysis, sensitive LOB applications are at increased risk of data leakage. This proposal adds a simple API to WinForms that allows developers to prevent their forms and controls from being captured in screenshots, addressing a critical security concern for applications that handle sensitive data.

Rationale

Modern productivity tools increasingly use continuous screen capturing to feed content to LLMs for summarization, analysis, and automation. While this offers productivity benefits, it creates significant security risks for certain Line of Business (LOB) applications that handle sensitive data, or at least certain areas of those apps.

Here are a few thoughts, which types of applications might require protection against unauthorized screen captures:

1. Healthcare Applications: Applications displaying patient records, medical histories, test results, or other protected health information (PHI) covered under HIPAA regulations

2. Financial Applications: Banking software, investment platforms, or accounting systems showing account balances, transaction histories, credit card numbers, or tax information

3. Government Systems: Applications handling citizen data, social security numbers, tax records, or classified information

4. Legal Software: Case management systems containing privileged attorney-client communications, court filings, or sensitive legal strategies

5. Insurance Platforms: Systems displaying policy details, claims information, or personal policyholder data

6. HR Software: Applications showing employee records, salary information, performance reviews, or personal details

7. Educational Systems: Applications containing student records, grades, or other information protected under FERPA

Proposed API

Windows 10/11 provides the SetWindowDisplayAffinity API with the options WDA_NONE, WDA_Monitor and WDA_EXCLUDEFROMCAPTURE that can block most software-based screen capture methods. This proposal wraps this functionality in a simple, easy-to-use WinForms API that raises awareness about this security concern and gives developers a straightforward way to protect sensitive information.

New Property for Form Class

namespace System.Windows.Forms;

public class Form
{
   /// <summary>
   /// Gets or sets a value indicating whether this form should be excluded from screen captures.
   /// When set to true, the form will appear blacked out in screenshots and screen recordings.
   /// This only works on Windows 10 version 1803 and higher.
   /// </summary>
   public ScreenCaptureMode ScreenCaptureMode { get; set; }
}

Alternatively: New Property for Control Class

[update: we're not doing this. Look in the edits-history for the original idea.]

Additional Supporting APIs

namespace System.Windows.Forms;

/// <summary>
/// Enumeration defining the behavior when a form or control is captured in a screenshot.
/// </summary>
public enum ScreenCaptureMode
{
    /// <summary>
    ///  The form or control can be captured normally in screenshots. Default.
    /// </summary>
    Allow = 0,
    
    /// <summary>
    ///  The form or control appears blacked out in screenshots.
    /// </summary>
    HideContent = 1,
    
    /// <summary>
    ///  The form or control appears blurred in screenshots.
    /// Requires Windows 10 version 2004 or higher.
    /// </summary>
    HideWindow = 2
}

New Form Configuration in Visual Studio Designer

Add a "Security" category in the Properties panel of the WinForms designer with the ExcludeFromScreenCapture property for easy discovery and configuration.

• Make sure this feature is not clashing with the Designer. We might need a design-time Shadow Property to not invoke this feature at design time.

Implementation Notes

• Assumingly pretty straight forward, low risk, low hanging fruit overall with substantial benefit/impact for customers. Need to explore the feasibility of a per-control level. [Update: Not feasable, we are dropping that.]

• IMPORTANT: There is a feature which not many people know of, where a whole Form can be used as a control, in which case the Form acts as a UserControl. If we decide, control level for that feature is not feasible, I would even suggest to throw an exception, if a Form is added to the parent's ControlCollection with its ScreenCaptureMode set to anything else than Allow.

Limitations/Discussion points

• This full Win32 API is available on Windows 10 version 2004 and higher.
• It of course doesn't prevent hardware-based screen captures (e.g., taking a photo of the screen), which need to be clearly stated in the API docs, along, that this can help securing data but not totally prevent it.
• The protection applies at the window level and may not be granular enough for all scenarios. There are also mechanisms to circumvent this, although apps need to do considerably more effort to do so. We will be adding a few respective warnings in the docs.

Benefits

• Simple API that's easy for developers to adopt
• Raises awareness about an important security consideration
• Provides immediate protection against many common screen capture methods
• Aligns with the "secure by default" principle by making security features easily accessible

[KalleOlaviNiemitalo]

What's the Windows 11 version 22H2 API for ScreenCaptureMode.Blur?

[bartonjs]

@KlausLoeffelmann Please update the proposal to include namespaces and classes for each code segment, so we don't eat up meeting time by adding them live.

Bitte, machen Sie diese Thema die Namespacennamen und die Classennamen zu haben, deshalb wir waehrend dem Treffen Mullzeit nicht machen werden.

[KlausLoeffelmann]

What's the Windows 11 version 22H2 API for ScreenCaptureMode.Blur?

We had this as part of the initial discussions, but we are no longer considering this.

[KlausLoeffelmann]

@bartonjs

...waehrend dem Treffen Mullzeit nicht machen

Assuming "Müllzeit", I will definitely steal this word creation and use it from now on, when I speak German! 😄