none
non-admin user can't find BHO RRS feed

  • Question

  • Windows 10, IE 11 in a corporate environment.  We have a BHO that is installed by an admin user.  When a user browses to the web site it checks if the BHO is installed.  If the BHO is not installed it prompts the user to have the BHO installed.  In Manage Add-ons the BHO shows as Enabled.

    If IE is started through "Run as admin" everything works as expected.  If IE is started normally then the user will be prompted to have the BHO installed, even though the BHO is already installed (and working).

    My understanding is that this could happen if Protected Mode is enabled, but Protected Mode is disabled.  I suspect that there is a GPO setting that is affecting the detection of the GPO.  Unfortunately there is a separate work group that manages the AD environment so I have limited ability to test what might be set there.

    So, does anyone know if there is a GPO setting that would affect the detection of a BHO or disable it for a non-admin user?  Or if a GPO can set IE to use Protected Mode even though the relevant zone is set (on the local PC) to not use Protected Mode?  I'd also be grateful for any tips on how I could monitor the environment to determine what might be blocking the BHO.

    TIA.

    D.

    Wednesday, October 30, 2019 5:43 PM

All replies

  • ->non-admin user can't find BHO

    Perhaps this issue is related to the BHO suitable OS version and the BHO's DLL location. With refer to this thread and this similar issue, it seems that we need to create and deploy both a x86, x32 and x64 versions of your BHO.

    Besides, after check the official document, it seems that there is no GPO setting for the non-admin user. You could check it

    Enable and disable add-ons using administrative templates and group policy

    Enable the Internet Explorer BHO via group policy

    Group policy Administrative templates

    Thursday, October 31, 2019 8:06 AM
  • Thanks for the suggestions.

    On further testing it appears that the issue is not actually with admin vs. non-admin users.  The user is starting IE through a Pinned Site Shortcut.  We are starting it by finding IE in the Start menu and selecting "Run as Administrator."

    Apparently, if IE is started from a Pinned Site Shortcut the BHOs are disabled.  If IE is started from a .url or .lnk shortcut (or if you just start IE as an application) then the BHOs are enabled.

    So the question morphs into this: is there something in a Pinned Site Shortcut that would force Protected Mode or otherwise disable the BHOs?

    Surfing around the Internet finds some things that would suggest other people have run into this problem but I have found no specific solutions.

    D.

    Thursday, October 31, 2019 7:42 PM
  • Based on my understanding, the Pinned Site Shortcut has been just a shortcut to launch IE browser, it will not force the Protect Mode and enable/disable the BHO.

    When using the two methods to launch IE browser, you could check whether the Protected Mode is enabled for the Internet, Intranet, and Restricted Sites zones using the Internet Options (under the Security tabs).

    Besides, you could also check the whether the browser enabled the Enhanced Protected Mode.

    From the Enhanced Protected Mode add-on compatibility, we can see:

    When this Enhanced Protected Mode is enabled, add-ons such as toolbars, browser helper objects (BHOs), and extensions are loaded only if they are compatible with Enhanced Protected Mode. If you have to load an incompatible add-on, you can disable Enhanced Protected Mode for the desktop browser. This action lets incompatible add-ons load, but it may increase the risk of having malware or other potentially harmful software installed on your computer.

    You could check above setting and try to disable the Protected Mode and Enhanced Protected Mode.

    About the BHO, each time a new instance of Internet Explorer starts, it checks the Windows Registry for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. If Internet Explorer finds this key in the registry, it looks for a CLSID key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. You could check the registry.

    Friday, November 1, 2019 7:47 AM
  • >> Based on my understanding, the Pinned Site Shortcut has been just a shortcut to launch IE browser, it will not force the Protect Mode and enable/disable the BHO.

    That would have been my understanding as well, but see: https://blogs.msdn.microsoft.com/ie/2011/03/11/internet-explorer-9-security-part-3-browse-more-securely-with-pinned-sites/ specifically point number 3.

    Technically, starting from a pinned site doesn't enable Protected Mode, it just starts IE without any toolbars or BHOs.

    D.

    Friday, November 1, 2019 2:21 PM