Protected -> Medium Integrity, elevation policy

Question

I have an ActiveX control which needs to start a process with medium integrity. I am trying to get ieuser to elevate the process without prompting the user to ok the elevation.

On install, I generate a GUID and add it to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy, and set the 'AppName' and 'AppPath' to reference the application to run (I do not set the CLSID). I set the 'Policy' value to 3. Even after restarting the PC, IE still prompts the user with the dialog seen in: "Understanding and Working in Protected Mode Internet Explorer"

Any suggestions on what I am doing wrong? The ActiveX control and application to be launched are both signed, and the application has the manifest trust level set to 'asInvoker', and UI to false.

Thanks.

Answer 1

What you outlined sounds like you are doing the right thing. Could you verify/share the application name which starts & the AppPath/AppName values added to the registry.

Thanks
Sharath

Answer 2

Made an app called 'test.exe'. Placed it in c:\

Key is: {A72296F2-F88D-4EB4-92F7-3BC70F5A5756}
AppName (REG_SZ): test.exe
AppPath (REG_SZ): c:\
Policy (REG_DWORD): 3


After much frustration, I added the CSLID of the ActiveX control as the CSLID value in that key. It appears to work. I am not sure why it does, at least according to what it seems like the CSLID value should do detailed by the documention linked above.


Also, is there an easier way to get ieuser to read the registry settings? If i get this to work, telling users 'you must reboot' to guarantee that ieuser is reset seems like a poor user experience.

Answer 3

Are you starting the program using CoCreateInstance? You could try c: without the trailing '\', I gave it a quick shot on my machine and saw without the ending '\', it seemed to elevate. I will look into this and get back with some answers.

Answer 4

Yes, this seems like an issue (which is being tracked internally). Also you wont face this issue if you use a directory path other than the root directory.

Answer 5

I also see the problem when referencing an installed application under program files.

AppPath=c:\program files\company\product

 doesn't seem to work w/o the clsid specified.

Answer 6

CLSID is required if your binary would register a CoClass which is not registered in the HKCR\CLSID. So according to your experience, it might be because you are doing a CreateProcess(test.exe) and then do a CoCreateInstance(CLSID) (where the CLSID is registered by test.exe). If so, then that would make sense why you need a CLSID also.

Answer 7

Sharath Udupa - MSFT wrote:

CLSID is required if your binary would register a CoClass which is not registered in the HKCR\CLSID. So according to your experience, it might be because you are doing a CreateProcess(test.exe) and then do a CoCreateInstance(CLSID) (where the CLSID is registered by test.exe). If so, then that would make sense why you need a CLSID also.

In "Understanding and Working in Protected Mode Internet Explorer" at
http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_elebp it says this registry entry is a value called 'IID' not 'CLSID'. Is this an error in the documentation of the link ?

Furthermore I do not understand what the value is supposed to mean, nor your explanation of why it is used. If the out-of-proc COM server has already registered its COM classes via the --Register command line parameter, is this entry necessary at all ? If not, when is it necessary and to what does the value refer ? Thanks !

Answer 8

In IE7, when IE starts, ieuser.exe will start automatically too. However, when IE quits, ieuser.exe also exists. 

So you must close the current running ieuser.exe, so as to make the registry value effect.