locked
ActiveX Controls in IE7 Protected mode RRS feed

  • Question

  • Hi all,

     

    I am developing an ActiveX control which needs to deliver content to the users PC. The content (files) are meant to be shared between multiple users of the same PC. On Vista, we are attempting to write this data to the "Program Data"  directory.

     

    My issue is that when run in protected mode, IE 7 virtualizes the writing of our files and stores them in the TIF locations.  Of course, if I add our web site to the trusted zone, everything works as expected.  Indeed, even when run in protected mode, our control operates normally. However, leaving the control writing data into TIF locations isn't an option because 1) all users of the PC will have to download the files, and 2) The files which are not meant to be temporary are prone to be deleted if left in the TIF.  In addition, we don't want to force the user to accept a save dialog for every single file. There are many files being downloaded and some of them actually happen as a background process while the user is otherwise occupied on our site.  The files are, however, ultimately required for the user to use our ActiveX control.

     

    So my question is this:  How can I elevate our (mfc based) ActiveX control to a privaledge level which will allow me to save our data to the proper "Program Data" location? I've tried writing a key into HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Low Rights \ ElevationPolicy for our control but IE7 appears to be ignoring this.  Ideally, I would like to elevate our control and this would present a security popup to the user allowing them to accept / deny the elevation. From that point forward our control would run with higer security rights and avoid the virtualization.

     

     

    Thanks in advance,

    sneumann@id

     

    Monday, December 17, 2007 5:36 PM

Answers

  • Answers:

     

    1) Yes -- the integrity label and the "regular" ACL are orthogonal.  The Low IL label means that any process that writes to it must be running at Low IL or higher; the ACL identifies which users are allowed to write to it.  Apply an appropriate ACL and set the label at Low.  You can use icacls.exe for this purpose.

     

    2) If you want to share it among multiple users, you shouldn't put it in one user's profile -- read the documentation about %ALLUSERSPROFILE% and %PUBLIC% (typically C:\ProgramData and C:\users\Public, respectively).  One or the other is the more appropriate location.

     

    HTH.

    Tuesday, January 8, 2008 2:53 AM

All replies

  • You need to create a broker because HKLM is a key that require administrative priviledges.

     

     

    Tuesday, December 18, 2007 6:21 PM
  • Thanks for the quick response..

     

    I'm creating the reg key during our install process and so, on Vista, the user has already elevated to admin when we right the key.  We install our ActiveX control with a Windows installer embedded in a cab file. So IE downloads the cab and executes the MSI to install the control.  Should writing a key for an elevation policy be an approach that works (in theory) ?

     

    I've toyed with the idea of creating a broker process but was hoping there was a more simple method. Something like embedding a manifest into our OCX to cause IE to run our signed control at medium integrity level.  One question I had regarding the broker process was:  if I do create a broker EXE and install it along side my control in our installation directory, won't IE virtualize my attempt to open the EXE?   Or, does the creation of an elevation policy key allow IE to load my broker EXE from the path specified in the key?

     

    Thanks again,

    sneumann@id

     

    Tuesday, December 18, 2007 6:36 PM
  • I'm surprised you said that it worked when running in Protected Mode -- that should block writing to anything outside of Low IL locations in the user's profile.  Adding the site to Trusted Sites will make the site run with Protected Mode off, which should allow writing to anyplace on the file system that the user is allowed to write to, such as shared document folders.

    Wednesday, December 19, 2007 4:13 AM
  • Yeah. It works fine in protected mode, but the files get read / written to the temporary internet files location as you would expect.   The problem with this is that the data files downloaded are around 200 MB in size and are meant to be shared between all users on the PC.  So writing the data files to the TIF locations isolates them from other users and would require that each user download all 200 MBs. 

     

    If I make our site trusted it definately will allow me to right to the ProgramData directory, but I just am not sure that users are comfortable flagging a site on the internet as trusted.  Also, that requires the Vista users to perform a manual step once the control is installed. Vista users would have to manually add our web site to there trusted sites list. That is, unless there is a way to create a registry key for a trusted site during our MSI installation?

     

    Another thing that strikes me as odd, when I download all 200MBs of data to a TIF location, there's no way of removing that data short of doing it programatically. Our nice MSI uninstall doesn't know that our data is burried in the TIF directories, and even when I delete temporary files from within IE (via tools -> internet options -> browsing history -> delete temporary internet files ) the files don't get deleted because they are in a deep hidden directory.  It's very unfriendly to leave hundreds of megabytes of data hidden on a users PC if they uninstall our control.

     

    sneumann@id

    Wednesday, December 19, 2007 4:08 PM
  • Here's some info:

     

    Protected Mode

    http://msdn2.microsoft.com/en-us/library/ms537319.aspx

     

    A very helpful blog

    http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx


    IE Forum

    http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=715&SiteID=17

     

    Let me know if any of these help and I'll check back on this later.

     

    Thursday, December 20, 2007 12:36 AM
  • Thinking out loud ---  how about when you install the ActiveX, you create a shared data location for your files, and mark it Low IL so that your ActiveX can write to it from Protected Mode?

    Saturday, December 29, 2007 3:53 AM
  • Thanks for the response and I'm sorry for my delay in responding. We were shutdown for the holiday break.

     

    That sounds like a potential solution.  I was unaware that this was possible. 

     

    A couple of questions:

     

    1) Is it possible to share a low integrity location between users?

     

    2) I'm guessing that low IL locations are restricted to some OS path? Possibily the user's profile directory?

     

    Thanks..

    sneumman@id

     

    Wednesday, January 2, 2008 4:43 PM
  • Answers:

     

    1) Yes -- the integrity label and the "regular" ACL are orthogonal.  The Low IL label means that any process that writes to it must be running at Low IL or higher; the ACL identifies which users are allowed to write to it.  Apply an appropriate ACL and set the label at Low.  You can use icacls.exe for this purpose.

     

    2) If you want to share it among multiple users, you shouldn't put it in one user's profile -- read the documentation about %ALLUSERSPROFILE% and %PUBLIC% (typically C:\ProgramData and C:\users\Public, respectively).  One or the other is the more appropriate location.

     

    HTH.

    Tuesday, January 8, 2008 2:53 AM
  • Excellent. That's sounds like it will work well. Thanks very much.

     

    sneumann@id

     

    Tuesday, January 8, 2008 3:50 PM