Understanding and Working in Protected Mode Internet Explorer

http://msdn.microsoft.com/en-us/library/bb250462(VS.85,printer).aspx

©2010 Microsoft Corporation. All rights reserved.

Internet Explorer Development Technical Articles

Understanding and Working in Protected Mode Internet Explorer
Marc Silbey, Peter Brundrett Microsoft Corporation January 2006 Last Updated: February 2009 Applies to: Windows Internet Explorer 7 in Windows Vista and later Summary In Windows Vista, Internet Explorer 7 runs in Protected Mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code. This topic introduces Protected Mode, describes the Windows Vista features used to implement Protected Mode, shows how to develop extensions that work with Protected Mode and provides guidelines for developing more secure applications. Contents Understanding Protected Mode Introducing Protected Mode Understanding Windows Vista's Integrity Mechanism Understanding Protected Mode Configuring Protected Mode Working with Protected Mode Finding Low Integrity Write Locations Saving Files to the User Profile Starting Processes from Protected Mode Allowing Drag and Drop Operations in your Application Allowing Applications to Receive Window Messages Launching and Navigating a Protected Mode Process Debugging with the Application Compatibility Toolkit Designing Secure Extensions Installing Software from Extensions Starting Low Integrity Processes Lowering Resource Integrity Determining Process Integrity Levels Frequently Asked Questions

Understanding Protected Mode
Protected Mode is an important step forward in security for Internet Explorer (IE); it helps protect users from attack by running an IE process with greatly restricted privileges on Windows Vista. While Protected Mode does not protect against all forms of attack, it significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code. Introducing Protected Mode While most Internet Explorer 7 security features will be available in Internet Explorer 7 for Windows XP Service Pack 2, Protected Mode is only available on Windows Vista because it is based on security features new to Windows Vista. User Account Control [ http://msdn.microsoft.com/library/default.asp.aspx?url=/library/en-us /dnlong/html/AccProtVista.asp ] (UAC) makes it easy to run without Administrator privileges. When users run programs with limited user privileges, they are safer from attack than when they

1 of 12

05/02/2010 18:57

much the same way that user account group membership restricts the rights of users to access sensitive system components. This section helps you understand Protected Mode. Low integrity processes cannot gain write access to objects at a higher integrity levels.microsoft. Objects without mandatory labels have an implied default integrity level of Medium.asp ] (UIPI) prevents processes from sending selected window messages and other USER APIs to processes running with higher integrity. Applications that require administrator permissions run with a high integrity level. Processes have an integrity level defined in the security access token.asp. such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key) 2 of 12 05/02/2010 18:57 . see Starting Processes from Protected Mode section.microsoft. like Internet Explorer in Protected Mode. The main features of the integrity level mechanism in Windows Vista are as follows: Securable objects [ http://msdn. As a result. The Windows Vista integrity mechanism automatically assigns low integrity mandatory labels to securable objects created by low integrity processes. Protected mode allows processes to be created with higher integrity.com/en-us/library/bb250462(VS. A Low integrity process. Running these programs with fewer permissions.com/library/default. Integrity level checks are performed before user access permission checks. all files and other objects created by Internet Explorer in Protected Mode or any other low integrity process are automatically assigned low integrity mandatory labels. The following table shows supported integrity access levels and the privileges they confer.asp ] . Some folders have a low integrity mandatory label.85.com /library/default. have security descriptors that define the integrity level. Applications run from the Start menu have a medium integrity level. Protected Mode uses the Windows Vista integrity mechanism to run the Internet Explorer process at low integrity.asp ] by lower integrity processes. The new mandatory ACE is called a mandatory label. such as Internet Explorer in Protected Mode.aspx run with Administrator privileges because Windows can restrict the malicious code from carrying out damaging actions. or level of privilege required for write access to the object. Internet-facing programs are at higher risk for exploits than other programs because they download untrustworthy content from unknown sources. and summarizes the compatibility impact for Internet Explorer extensions. the temporary Internet files folder contains a folder called Low.asp. can create and modify files in low integrity folders.asp. which is a low integrity folder.printer). will receive access denied errors when it tries to modify existing files. In Protected Mode.aspx?url= /library/en-us/dnlong/html/AccProtVista.Understanding and Working in Protected Mode Internet Explorer http://msdn. Internet Explorer has a low integrity level.microsoft. or at a lower integrity level.) User (Process can create and modify files in the user's Documents folder and write to user-specific areas of the registry. By default. User Interface Privilege Isolation [ http://msdn. Integrity mechanism restrict write access to securable objects [ http://msdn.microsoft. This integrity level is defined with a new mandatory access control entry (ACE) in the System access control list (SACL).com/library/default. The Windows Vista security infrastructure allows Protected Mode to provide Internet Explorer with the privileges needed to browse the Web while withholding privileges needed to silently install programs or modify sensitive system data.aspx?url=/library/en-us/secauthz/security/securable_objects. describes the Windows Vista integrity access levels. For details. than other programs reduces the ability of an exploit to modify the system or harm user data files. Integrity Access Level (IL) High Medium Low System Privileges Administrative (Process can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE. like files and registry keys.aspx?url=/library/en-us /secauthz/security/securable_objects. All files and registry keys on Windows Vista have a default integrity level of Medium. A low integrity process. such as HKEY_CURRENT_USER. For example. even if the user's SID is granted write access in the discretionary access control list (DACL). child processes started by a low integrity process will also run with a low integrity level. Understanding Windows Vista's Integrity Mechanism Windows Vista includes an addition to the access control security mechanism of Windows that labels processes and other securable objects with an integrity level.) Untrusted (Process can only write to low integrity locations.

aspx Understanding Protected Mode Protected Mode builds on the new integrity mechanism to restrict write access to securable objects like processes. Protected Mode can only send specific window messages to higher integrity processes. However it will not intercept writes to system locations like Program Files and HKEY_LOCAL_MACHINE. 3 of 12 05/02/2010 18:57 . the user privilege broker (IEUser. Intranet. To configure Protected Mode. silently install a keystroke logger to the user's Startup folder. Documents and Settings\%userprofile%\LocalSettings\TemporaryInternet Files\Virtualized HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\InternetRegistry Two higher privilege broker processes allow Internet Explorer and extensions to perform elevated operations given user consent.asp ] .asp. Furthermore. In addition. For more information. Configuring Protected Mode Protected Mode can be configured in Internet Explorer's Internet Options dialog. please see Working with Protected Mode. By preventing unauthorized access to sensitive areas of a user's system. As a result. Protected Mode provides a compatibility architecture that reduces the impact on existing extensions. the Cookies folder. A Compatibility Layer handles the needs of many existing extensions. look for the words "Protected Mode: On" next to the Web content zone displayed in Internet Explorer's status bar. and Restricted Sites zones. By default. please see the User Interface Privilege Isolation Overview section of Developer Best Practices and Guidelines for Applications in a Least Privileged Environment [ http://msdn. When run in Protected Mode.Understanding and Working in Protected Mode Internet Explorer http://msdn. The compatibility layer uses a Windows Compatibility Shim [ http://www. the Favorites folder and the Windows temporary file folders. for example. a compromised process cannot manipulate applications on the desktop through window messages.com/technet/windowsvista/deploy/appcompat/acshims. As a result.microsoft. click the Security tab. see the Frequently Asked Questions (FAQ) section. an administrator privilege broker (IEInstal.microsoft. files. Protected Mode limits the amount of damage that can be caused by a compromised IE process.85.. For example.com/library /default. it cannot gain write access to files and registry keys in a user's profile or system locations.printer). Likewise. as shown in the following figure. An attacker cannot. For more information. Low integrity processes can only write to folders. Protected Mode is enabled for the Internet.mspx ] to automatically redirect these operations to the following low integrity locations. the History folder. and registry keys that have been assigned a low integrity mandatory label. Internet Explorer is a low integrity process. For a complete list. It intercepts attempts to write to medium integrity resources. such as the Documents folder in the user profile and the HKEY_CURRENT_USER registry hive.microsoft.exe) process provides a set of functions that let the user saves files to areas outside of low integrity areas. such as the new low integrity temporary Internet files folder. files. To verify that Internet Explorer is running in Protected mode.com/en-us/library/bb250462(VS. and then change the "Enable Protected Mode" check box. Of course. and registry keys with higher integrity levels. select a Web content zone.exe) process allows Internet Explorer to install ActiveX controls.aspx?url=/library/en-us/dnlong/html/AccProtVista. Internet Explorer and extensions run in Protected Mode can only write to low integrity locations. these defenses also limit legitimate changes to higher integrity locations.

extensions can determine if Internet Explorer is running in Protected Mode by calling the IEIsProtectedModeProcess [ http://msdn. szPath.com/library/default. elevate processes out of Protected Mode.com/library/default. However.85. 0. When you do this. a low integrity process cannot gain write access to medium or high integrity folders or files in the user's profile. see Starting Processes from Protected Mode.asp. and debug Protected Mode access failures. Call IESaveFile [ http://msdn. Don't forget to delete the temporary file after the file is sucessfully saved. Protected Mode's user broker copies the file from the temporary location to the location selected by the user. extensions should operate as low integrity processes whenever possible. Working with Protected Mode This section shows how extensions can perform common tasks while in Protected Mode.asp ] to obtain a low integrity registry location. Starting Processes from Protected Mode In general. save files outside low integrity file locations.com/en-us/library/ms537187(VS. This means that a low integrity process can obtain write access to the objects it creates. Low integrity processes can create and write to low integrity subkeys of the registry. By default. Before writing to a low integrity location. Internet Explorer will prompt the user to confirm the medium integrity elevated process.microsoft. However. ARRAYSIZE(szPath)). When run as medium level processes. securable objects automatically inherit the lower integrity level between the process that created them and their container. The following steps show how to save a file outside of a low integrity location.microsoft. For more information. As a result. To do this.aspx?url=/workshop/security/protmode/reference/functions /IEGetWriteableHKCU.asp ] with the location of the temporary file saved in Step 1.Understanding and Working in Protected Mode Internet Explorer http://msdn. This provides the best protection against malicious attacks. it explains how to find low integrity object locations. Security Alert Take care to avoid mixing integrity levels. Note Protected Mode modifies IE's environment variables.printer). 3. create a broker process to access higher integrity objects and then launch the broker process with a higher integrity level. 2. Use the SHGetKnownFolderPath function with the FOLDERID_LocalAppDataLow flag to obtain the expanded folder name. NULL. 1. To obtain write access to other medium integrity objects.microsoft. typically %userprofile%\AppData\LocalLow.85). the GetTempPath() function returns %Temp%\Low when called while Protected Mode is active.asp ] with the location of the user's profile folder to prompt the user to save the file in a different location.microsoft. there are times when an extension may need to access medium or even high integrity objects. as shown in the following screen shot.microsoft. such as HKEY_CURRENT_USER\Software\AppDataLow.com/library/default. If the user accepts the Save As dialog. When in Protected Mode.aspx Protected Mode will be configurable through Group Policy when Windows Vista ships through the URLACTION_LOWRIGHTS (0x00002500)URL Action. Saving Files to the User Profile Some extensions need to save files to a particular location so that users or applications can later find the file.com/en-us/library/bb250462(VS. In addition.asp ] function. extensions running in Protected mode's low integrity process can only write to specific low integrity locations and should use IEGetWriteableHKCU [ http://msdn. Low integrity objects should be stored separately from medium or high integrity objects. Create a temporary version of the file in %userprofile%\AppData\LocalLow.aspx?url=/workshop/security /protmode/reference/functions/IESaveFile. use a custom broker process and then elevate your broker to a medium level process. 4 of 12 05/02/2010 18:57 . files or registry keys have a low integrity when created in Protected Mode. For more information. broker objects can access medium integrity objects.aspx?url= /workshop/security/protmode/reference/functions/IEIsProtectedModeProcess.microsoft. As a result. please see URL Security Zones Overviews [ http://msdn.asp. IEShowSaveFileDialog returns the destination folder they have chosen.asp. medium and high integrity applications should not open low integrity objects without proper validation.asp. Call IEShowSaveFileDialog [ http://msdn.aspx?url=/workshop /security/protmode/reference/functions/IEShowSaveFileDialog. However. SHGetKnownFolderPath(FOLDERID_LocalAppDataLow. Finding Low Integrity Write Locations In Windows Vista. extensions can write files to a folder below the user's UserProfile folder.aspx ] .com/library/default.

add a REG_SZ value called CLSID containing the CLSID of the COM server and add the following setting to your policy. Protected Mode prompts the user for permission to launch the process. add the following settings to your policy. If your extension launches a COM server that is not registered in HKEY_CLASSES_ROOT. 1. AppName (REG_SZ) is the filename of your broker's executable file. If permission is granted.asp. Policy (DWORD) indicates how Protected Mode should launch the broker. Elevation policies must have a globally unique identifier (GUID) associated with them.microsoft. the process is launched as a medium integrity process. To illustrate. 2. Next. add a key to the following location.com/library/default. Protected mode prevents the process from launching.microsoft.85. AppPath (REG_SZ) is the user-selected install location of your broker's executable file. 3. CLSID (REG_SZ) contains the CLSID of your extension.Understanding and Working in Protected Mode Internet Explorer http://msdn. Value 3 2 1 0 Result Protected Mode silently launches the broker as a medium integrity process.exe to medium integrity level. Use CreateGuid [ http://msdn. HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights ElevationPolicy Set the name of the new key to the GUID created for your policy and then add the following settings to the key.com/en-us/library/bb250462(VS. the following policy would silently elevate a fictional broker called contoso. The following table describes the supported values. Protected mode silently launches the broker as a low integrity process. HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights ElevationPolicy 5 of 12 05/02/2010 18:57 .aspx?url=/library/en-us/vcext /html/vxlrfvcwizlibvcwizctlcreateguid. If your broker is an executable file.asp ] to create a new GUID for your policy. which is a series of registry keys and values that tell Protected Mode how to handle elevation for a specific broker.printer). and gets dynamically registered through COM and launched through CoCreateInstance.aspx You can silently elevate your broker process to medium integrity level by creating an elevation policy.

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights RunDll32Policy contoso.aspx?url=/library /en-us/vcext/html/vxlrfvcwizlibvcwizctlcreateguid.microsoft. which tells Protected mode to allow web content to be silently copied to your application process. please see the Guidelines for Administrative User Applications section of Developer Best Practices and Guidelines for Applications in a Least Privileged Environment [ http://msdn. If your application is an executable file.dll Note The best practice is to create a custom exe to host DLL's and not use rundll32. add the following settings to your policy. Be aware that this can create a security risk. Next.asp.aspx?url=/library/en-us/dnlong /html/AccProtVista.asp ] . 1. HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights RunDll32Policy The following example shows the setting that would silently load the fictional contoso.microsoft.com/en-us/library/bb250462(VS. For information describing how to launch broker processes with a high integrity level. Allowing Drag and Drop Operations in your Application By default. AppPath (REG_SZ) is the user-selected install location of your application's executable file.com/en-us/library/ms682429(VS. createProcessAsUser [ http://msdn.microsoft.com/en-us/library/ms682425.exe. 2. it is strongly discouraged.DLL library. DragDrop policies must have a globally unique identifier (GUID) associated with them.com/library/default. 6 of 12 05/02/2010 18:57 . Microsoft reserves the right to remove that application at any time from the elevation policy. If your process must accept working directory parameters.85. Note that you do not need to create an elevation policy because UAC will handle the elevation. use a logical XOR operation to add 0x80000 to the value of the Policy setting of the elevation policy for your application. add a key to the following location. AppName (REG_SZ) is the filename of your application executable file.aspx ] .printer).85). you can silently launch a rundll32.exe process with low integrity by adding the library's filename to the following key. You can register your application to avoid this prompt and silently accept web content from a drag-and-drop operation by creating a DragDrop policy.asp.aspx {0002df01-0000-0000-c000-000000000046} AppName="Contoso.com/library/default.exe.Understanding and Working in Protected Mode Internet Explorer http://msdn.aspx ] .microsoft.microsoft. Internet Explorer in Protected Mode ignores parameters that change the working directory of createProcess [ http://msdn.exe" AppPath="C:\%USERPROFILE%\Application Data\Contoso" Policy=(DWORD) 00000003 Note For security reasons. If your existing extension uses rundll32. and related functions. If Microsoft determines that an application has a vulnerability and presents a danger to end users. as a result. Use CreateGuid [ http://msdn. You can also create broker processes to access high integrity objects. Policy (DWORD) should be set to 3.exe to host a .asp ] to create a new GUID for your policy. HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights DragDrop Set the name of the new key to the GUID created for your policy and then add the following settings to the key. Protected mode prompts the user before allowing web content to be copied to a higher integrity process.dll library with low integrity using rundll32.

microsoft.com/library/default. Once your application navigates to URL in a different integrity IE process. ie.com/library /default.asp ] to launch IE. gets dynamically registered through COM and launched via CoCreateInstance. The following example shows how you would do this in C++.aspx?url=/library/en-us/dnanchor/html/appcompat.com/library /default. Note The best practice is run your application with low integrity if you are communicating with Protected mode. you can not perform additional navigations. add a REG_SZ value called CLSID containing the CLSID of the COM server.asp ] introduced with Windows XP Service Pack 2. When Internet Explorer or its extensions attempt to write to securable objects in Protected Mode. CLSID (REG_SZ) contains the CLSID of your extension. Debugging with the Application Compatibility Toolkit Protected Mode works with the Microsoft Application Compatibility Toolkit [ http://msdn. This will ensure that your application gets the right return values and that IE launches in Protected mode for URLs whose zone has Protected mode on.microsoft. The following example shows the JScript version.microsoft. If you need to determine whether a specific URL will open in a low (Protected mode) or a medium integrity IE process before launching IE. You should make the IE Frame visible after navigation. If your application launches Internet Explorer using CoCreateInstance [ http://msdn.asp.asp.exe" AppPath="C:\%USERPROFILE%\Application Data\Contoso" Policy=(DWORD) 00000003 Allowing Applications to Receive Window Messages As mentioned above.asp. add the following setting to your policy. var ie = new ActiveXObject("InternetExplorer.asp. you can call ChangeWindowMessageFilter() [ http://msdn.visible = true. CLSCTX_LOCAL_SERVER. hr = pIWebBrowser2->Navigate(bstrUrl.printer).aspx?url=/workshop/security/protmode/reference/functions/IELaunchURL.asp ] .Application"). You can only continue controlling navigations after IE is launched if your application has the same integrity level as the IE process launched.aspx 3. Launching and Navigating a Protected Mode Process If your application uses CreateProcess [ http://msdn. If you want to launch Protected mode from your high integrity process then first create a medium integrity process.85.asp ] from the elevated application to allow specific messages though.asp.microsoft.com/en-us/library/bb250462(VS. If your extension launches a COM server that is not registered in HKEY_CLASSES_ROOT.asp. IID_IWebBrowser2. ie.microsoft. The following example shows the setting that would all web content to be silently copied to fictional contoso. &vEmpty).asp ] to navigate Internet Explorer programmatically. UIPI blocks window messages from low to higher integrity processes. &vEmpty.asp ] and you need to continue controlling navigations after IE is launched. such as remote procedure calls (RPC).com /library/default. which will launch your high integrity process and IE. hr = CoCreateInstance(CLSID_InternetExplorer. call IEIsProtectedModeURL [ http://msdn. &vEmpty.asp. it should call IELaunchURL [ http://msdn.microsoft.Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.exe application HKEY_LOCAL_MACHINE SOFTWARE Microsoft Internet Explorer Low Rights DragDrop AppName="contose. you can use IWebBrowser2 [ http://msdn.asp ] on Vista. to communicate between Protected mode and a higher integrity process.(LPVOID*)&pIWebBrowser2).com/library/default.aspx?url=/library /en-us/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfunctions /changewindowmessagefilter.aspx?url=/workshop/browser/webbrowser/reference/ifaces /iwebbrowser2/iwebbrowser2.aspx?url=/library /en-us/dllproc/base/createprocess. hr = pIWebBrowser2->put_Visible(VARIANT_TRUE).com").msn. Note that a high integrity process with administrator privileges will launch a high integrity IE process with Protected mode off. &vEmpty.com/library/default.aspx?url=/workshop/security/protmode/reference/functions /IEIsProtectedModeURL.microsoft. the 7 of 12 05/02/2010 18:57 .com/library/default. If your extension running in Protected mode needs to communicate with an evelated application using window messages. Otherwise use only secure forms of interprocess communication (IPC).Navigate("http://www.aspx?url=/library/en-us/com/html/7295a55b-12c7-4ed0-a7a4-9ecee16afdec. NULL.

for example CreateFile or RegOpenKey.printer). This is blank for objects that do not have paths. such as the Program files or registry keys under HKEY_LOCAL_MACHINE. ObjectType is either File or Registry. Installing Software from Extensions When running in Protected Mode. LastError is the last error received by an API function. The following list explains the values in the log entries. This is a three step process. NewObjectPath specifies the object that was modified by the operation.com/library/default.asp ] . If you add to the elevation policy. WriteIgnored indicates that the operation was ignored by ProtectedMode because the attempting process is an elevated broker.asp.asp ] . lower resource integrity levels. ReqObjectPath is the location of the object the operation object attempted to modify.exe does not automatically detect and respond to elevation policy changes. child processes inherit the integrity level of the parent process. InterceptedWrite indicates that the operation was intercepted by the Compatibility Layer.microsoft.aspx?url=/library/en-us/dnlong/html/AccProtVista.aspx?url= /library/en-us/dllproc/base/createprocessasuser. you should create a standalone installation application that can be run with administrator privileges. ActiveX controls and other extensions cannot install software. APIName specifies the function attempting the operation. This information can be invaluable when trying to determine why operations do not behave as expected. CreateVirtualCopy indicates that the Compatibility Layer made a copy of the object in the virtual location. This section shows how to perform these tasks. call CreateProcessAsUser [ http://msdn. APIResult indicates the result returned by the API function attempting the write operation. When write operations succeed.com/library /default.microsoft. IEUser. VirtualizationAction indicates the result of the write operation and is one of the following values. In addition to the guidelines offered in Developer Best Practices and Guidelines for Applications in a Least Privileged Environment [ http://msdn. ModuleName is the filename that launched the process accessing securable objects. If your extension needs to modify high integrity objects. Designing Secure Extensions Developing secure Internet Explorer extensions for Protected Mode is not that different from developing secure applications for Windows Vista.85.aspx?url=/library/en-us/IETechCol /cols/dnexpie/activex_security.asp ] .com/library/default.com/library/default.asp ] and ActiveX Security: Improvements and Best Practices [ http://msdn. To start a low integrity process from Protected mode. and determine process integrity levels. start low integrity processes.asp.microsoft. After installation. Starting Low Integrity Processes By default.Understanding and Working in Protected Mode Internet Explorer http://msdn.asp. To start a low integrity process from a medium integrity process.microsoft. CreateNew indicates that the Compatibility Layer created a new object in the virtual location. you have to explicitly start the new process as low integrity.microsoft. To launch your application with administrator privileges. you can include an application manifest as detailed in the Developer Best Practices and Guidelines for Applications in a Least Privileged Environment [ http://msdn. This helps protect the user because the application is running with user privileges instead of administrator privileges. 8 of 12 05/02/2010 18:57 .com/en-us/library/bb250462(VS. your extension running in Protected mode can launch your application with medium integrity instead of launching it from the install application with high integrity. you need to close and restart any open Internet Explorer processes.asp.aspx?url=/library/en-us/dnlong/html/AccProtVista.aspx application compatibility logs contain entries that describe the operation and its results. extension developers should understand how to install software from extensions.

85. PSID pIntegritySid = NULL. Because low integrity applications can only write to low integrity resources. &TIL. } CloseHandle(hNewToken). For example. 3. please see Launching Processes. Use SetTokenInformation [ http://msdn. TOKEN_MANDATORY_LABEL TIL = {0}.microsoft. #include <sddl. FALSE. &hNewToken)) { if (ConvertStringSidToSid(wszIntegritySid. // Low integrity SID WCHAR wszIntegritySid[20] = L"S-1-16-4096". PROCESS_INFORMATION ProcInfo = {0}. NULL. However. HANDLE hToken. 2. The following code sample demonstrates this process. NULL. you need to lower the integrity level of the shared resources.com/library/default. sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid))) { // Create the new process at Low integrity bRet = CreateProcessAsUser(hNewToken. 1. SecurityImpersonation.Attributes = SE_GROUP_INTEGRITY.asp ] to create a new process using the low integrity handle.asp.Label. this allows the user to confirm that they want to save a file using a process that runs with higher privileges than Protected mode. if (OpenProcessToken(GetCurrentProcess(). 0.asp ] to lower the process handle to low integrity.exe". STARTUPINFO StartupInfo = {0}. &StartupInfo. // Set the process integrity level if (SetTokenInformation(hNewToken. NULL. &ProcInfo). &hToken)) { if (DuplicateTokenEx(hToken. &pIntegritySid)) { TIL. TokenPrimary. ULONG ExitCode = 0. NULL. MAXIMUM_ALLOWED. Use CreateProcessAsUser [ http://msdn. } } Note You can also launch low integrity processes from Protected Mode by setting a registry key.Label. Duplicate the handle of the medium integrity process. } CloseHandle(hToken).com/library/default. } LocalFree(pIntegritySid).microsoft.aspx 1. There is a risk the low integrity process may attempt malicious behavior.Understanding and Working in Protected Mode Internet Explorer http://msdn. 9 of 12 05/02/2010 18:57 .aspx?url=/library/en-us /secauthz/security/settokeninformation. Create an SDDL security descriptor that defines a Low mandatory label. Lowering Resource Integrity Generally. Protected mode displays the Save As dialog from the Internet Explorer User Broker process.MAXIMUM_ALLOWED.Sid = pIntegritySid. wszProcessName. NULL. there are times when this is required by design.asp. Note Applications that accept input or share resources from lower integrity processes should assume that data provided by lower integrity processes cannot be trusted and then perform appropriate validation. NULL. it is not a good security practice for higher level processes to accept input or share resources with low integrity processes. TIL. For more information.com/en-us/library/bb250462(VS.h> void CreateLowProcess() { BOOL bRet. TokenIntegrityLevel.microsoft.printer). HANDLE hNewToken. // Notepad is used as an example WCHAR wszProcessName[MAX_PATH] = L"C:\\Windows\\System32\\Notepad.aspx?url=/library/en-us /dllproc/base/createprocessasuser.

// not allocated BOOL fSaclPresent = FALSE.. &fSaclDefaulted)) { // Note that psidOwner.printer). Get the integrity level of the token.msdn.aspx?url=/library/en-us/secauthz/security /getnamedsecurityinfo. 3. SDDL_REVISION_1. &pSacl.h> void SetLowLabelToFile() { // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low integrity #define LOW_INTEGRITY_SDDL_SACL_W L"S:(ML. SE_FILE_OBJECT. and pDacl are // all NULL and set the new LABEL_SECURITY_INFORMATION dwErr = SetNamedSecurityInfoW((LPWSTR) pwszFileName.com/en-us/library/bb250462(VS.Understanding and Working in Protected Mode Internet Explorer http://msdn. LPCWSTR pwszFileName = L"Sample.. } LocalFree(pSD).85. &fSaclPresent. NULL. Processes with READ_CONTROL privileges for a securable object can use GetNamedSecurityInfo [ http://windowssdk. void ShowProcessIntegrityLevel() { HANDLE hToken. Assign the security descriptor to the shared resource. pSacl).txt".microsoft. 1. LABEL_SECURITY_INFORMATION. 10 of 12 05/02/2010 18:57 . 4. DWORD dwError = ERROR_SUCCESS. NULL.LW)" DWORD dwErr = ERROR_SUCCESS. BOOL fSaclDefaulted = FALSE. 2.asp ] to determine the object's integrity level. PTOKEN_MANDATORY_LABEL pTIL = NULL. NULL. Assign the low integrity attribute to the security descriptor. Compare the integrity level SID to the system defined integrity level RIDs. Convert the SDDL string to a security descriptor. if (ConvertStringSecurityDescriptorToSecurityDescriptorW( LOW_INTEGRITY_SDDL_SACL_W. NULL)) { if (GetSecurityDescriptorSacl(pSD.microsoft. Open a handle to the current process's token. &pSD. psidGroup.NW. DWORD dwIntegrityLevel.com/library/default.asp. The following code sample shows how to do this. PACL pSacl = NULL. 3. Such changes will not update audit logs. HANDLE hProcess..aspx 2. PSECURITY_DESCRIPTOR pSD = NULL. DWORD dwLengthNeeded. LPWSTR pStringSid.h> #include <Aclapi. } } Application processes can only set the integrity levels of securable objects to those at or below the application process. The following code sample shows this process. The following steps show how to determine the integrity level of a process.h> #include <AccCtrl. Note Even low integrity files will get redirected by Protected mode's compatibility shim except for known locations mentioned in the frequently-asked questions. #include <sddl. Windows Vista allows object owners to change the integrity access level of a securable object. Determining Process Integrity Levels Extensions that can run in different processes might want to check if the code is running in a process at Low or Medium integrity level and modify behavior accordingly.

.. if (OpenProcessToken(hProcess.. TOKEN_QUERY | TOKEN_QUERY_SOURCE.. Documents and Settings\%USER PROFILE%. . } } Frequently Asked Questions Q: Does UAC file and registry Virtualization apply to Protected Mode? A: No. if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID) { // Low Integrity wprintf(L"Low Process").. if (!GetTokenInformation(hToken. therefore. NULL.Understanding and Working in Protected Mode Internet Explorer http://msdn.... (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.\Local Settings\Temp . Extensions running in Protected Mode get an Access Denied error when they attempt to write to sensitive system areas.. } } LocalFree(pTIL)... Internet Explorer-specific locations in the following USER PROFILE folders.\%USER PROFILE%\Cookies Extensions can write to the following locations.\Local Settings\History .\Local Settings\Temporary Internet Files . dwLengthNeeded). if (dwError == ERROR_INSUFFICIENT_BUFFER) { pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0.\%USER PROFILE%\Favorites\Low .\%USER PROFILE%\Favorites . 0. dwLengthNeeded. Documents and Settings\%USER PROFILE%. TokenIntegrityLevel.printer).com/en-us/library/bb250462(VS.. UAC Virtualization does not apply to Protected Mode and. write access to Protected Mode extensions that write to sensitive areas will not be redirected.microsoft. if (pTIL != NULL) { if (GetTokenInformation(hToken.\%USER PROFILE%\Cookies\Low %USER PROFILE%\AppData\LocalLow 11 of 12 05/02/2010 18:57 ...Sid. . &dwLengthNeeded)) { dwError = GetLastError()..\Local Settings\Temporary Internet Files\Low ...\Local Settings\History\Low .aspx hProcess = GetCurrentProcess(). Protected Mode also does not have write access to the redirected or virtual store for system areas.\Local Settings\Temp\Low .. &dwLengthNeeded)) { dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.. } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) { // Medium Integrity wprintf(L"Medium Process").. } else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) { // High Integrity wprintf(L"High Integrity Process").. } } } CloseHandle(hToken). pTIL.. &hToken)) { // Get the Integrity level.Sid)-1)). TokenIntegrityLevel.85. Q: Are there specific locations in the USER PROFILE or HKEY_CURRENT_USER registry location that an extension in Protected Mode Internet Explorer can not write to? A: Yes...

dll rsaenh. Lance Leonard.dll sensapi.dll mf.dll WINNSI.dll iertutil.dll Schannel.exe IMM32.dll dssenh.dll Wininet.dll NLAapi.dll wshtcpip. Hao-Wei Liu.dll Dxtmsft.dll MSHTMLED.dll mscms.dll ws2_32.dll OLEACC.dll mswsock.cpl IPHLPAPI. Jeremy Epling.DRV winsta.dll secur32.dll Advapi32.dll Kernel32. and Will Mason.dll wsock32.dll mlang. extensions that attempt to gain write access to securable objects by using an API function in one of the following binaries will receive Access Denied errors.dll ieui. is also elevated. please see Starting Low Integrity Processes.dll DNSAPI.dll BrowseUI.aspx Note that extensions can not write to system locations such as the Program Files folder or the HKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE subtrees.dll pnrpnsp.dll SWEEPRX.dll PSAPI. Sharath Udupa.dll Inetcpl.dll Q: How do I stop my toolbar from launching an elevated Internet Explorer process? A: Many toolbar installations close all running instances of Internet Explorer and launch a new one once their setup is finished.dll Corpol.dll wtsapi32.dll rasadhlp.dll MPR. Toolbars can avoid this problem by closing down Internet Explorer and re-launching it with a lower integrity level.dll CREDSSP.printer).dll ntmarta.dll rasdlg.dll clbcatq.dll Dxtrans.dll dciman32.dll iexplore.dll Mshtml.dll wship6.85.dll Ieframe.dll winrnr. Bogdan Tepordei.dll msls31.com/en-us/library/bb250462(VS.dll msfeedsbs.dll dhcpcsvc6.dll WINSPOOL.dll uxtheme. The problem is that the new Internet Explorer is launched from an elevated process and.dll USP10.dll Crypt32.dll SHLWAPI.dll rasapi32. so that the new toolbar is visible. Marc Silbey and Peter Brundrett are program managers on the Internet Explorer and Windows Security teams. For more information.dll msfeeds.dll NETAPI32.dll vbscript.dll NSI.dll msimtf.dll MSASN1.dll TAPI32.dll MSCTF.dll NAPINSP.dll rtutils.dll Ntdll. Vidya Nallathimmayyagari. actxprxy. therefore.dll bcrypt.dll Comctl32.dll rasman.dll offprof.dll USERENV. 12 of 12 05/02/2010 18:57 .dll LPK. Furthermore.dll jscript.dll URLMon.Understanding and Working in Protected Mode Internet Explorer http://msdn.dll samlib.dll dhcpcsvc. Q: By default.dll IEPeers.dll jsproxy.dll Shdocvw.dll Mstime.dll ddraw.microsoft.dll dwmapi.dll ncrypt. elevation requests ignore Acknowledgements We would like to thank the following for their help in preparing and reviewing this article: Robert Gu.dll Secure32.dll Wintrust.dll Cryptnet.dll rpcrt4.dll gpapi.dll msimg32.

Sign up to vote on this title
UsefulNot useful