PrivBar Update


PrivBar is a toolbar I first published over seven years ago (!) for Internet Explorer and Windows Explorer.  I updated it three years ago to add support for x64.  Today I am updating it to offer better support for Vista and Windows 7 and the corresponding Server versions.  Specifically, instead of showing a group name such as Users or Administrators in the toolbar, it shows the integrity level of the current page.  One significant benefit is that this helps mitigate the removal of the Protected Mode indicator from the IE9 status bar.

Download the .zip file attached to this post; extract the DLLs to a shared location (e.g., under Program Files) and register each with regsvr32.exe.  (Note that PrivBarX64.dll can be used only on x64 editions of Windows.)  The toolbars need to be enabled separately for Windows Explorer, Internet Explorer, and Internet Explorer (64 bit):  press Alt to display the menu, then choose View | Toolbars | PrivBar x64.  (It says “x64” even for the 32-bit version.)

Integrity levels (ILs) were first introduced in Windows Vista and are part of what makes it possible for programs running under a single user account to have different security restrictions.  Basically (and oversimplifying), a program running at a particular integrity level cannot modify resources that are marked at a higher integrity level.  Its most prominent application is in IE’s Protected Mode.  On Windows 7 IE Protected Mode is enabled in the Internet and Restricted Sites security zones, and disabled in the Intranet, Trusted Sites, and Computer (Local Machine) zones.  With Protected Mode enabled, IE runs at the Low integrity level and cannot directly write to most areas of the file system or registry (which are marked Medium), or manipulate other programs the user is running such as by sending synthesized keystroke messages.  Sysinternals Process Explorer is a great tool for identifying the ILs of processes on your computer (and the Windows Sysinternals Administrator’s Reference is a great book for learning all about Process Explorer and much more. 🙂

The main ILs you’ll see in Windows are:

  • Low:  less-privileged processes, including Internet Explorer with Protected Mode, as well as Microsoft Office 2010’s Protected View and Adobe Reader X’s sandbox mode.
  • Medium:  most user applications run at the Medium level.
  • High:  user applications running with full administrative rights (e.g., apps launched with UAC’s “Run as administrator”).
  • System:  the integrity level given to Windows services.

Here’s a screenshot of Internet Explorer browsing a site in the Internet zone.  Protected Mode is enabled and PrivBar shows “Low IL” with a green circle icon.

IE-LowIL

If you browse to a site in the Intranet or Trusted Sites zone, Protected Mode is disabled.  As this screenshot shows, PrivBar reports “Medium IL” with a yellow circle icon.

IE-MediumIL

The vast majority of desktop applications run at Medium IL, including Windows Explorer, shown here:

Explorer-MediumIL

By default, UAC’s “Admin Approval Mode” is not applied to the built-in Administrator account, so when you log on with that account, everything runs with full administrative rights.  Here are screenshots of Internet Explorer and Windows Explorer, with PrivBar reporting “High IL” and a red circle icon.  (Note that in most scenarios, the built-in Administrator account is disabled.)

IE-HighIL

Explorer-HighIL

You can use the new versions on Windows XP and Windows Server 2003.  Instead of the Integrity Level, it shows “Users”, “Power Users” or “Administrators” as it did in the past.

PrivBar.1.1.0.2.zip

Comments (8)

  1. xpclient says:

    PrivBar is great but the color and UI is ugly. Can you ask some designer friend inside MS to beautify it?

    [Aaron Margosis]  Got any suggestions?  (It looks fine to me.)

  2. xpclient says:

    The circle is not anti-aliased, the color inside could use a nice gradient, the yellow plain color could also use some gradient. Design matters today.

    [Aaron Margosis]  Thanks for noticing.  PrivBar started out with a gradient, but I then very deliberately opted for a minimalist palette invoking Piet Mondrian, Frank Stella and the Partridge Family.  At one point I considered a suprematist motif inspired by Kazimir Malevich, but ultimately felt that white-on-white was insufficiently evocative of an urgent statement like "you're running your browser with full admin rights!"  I understand that PrivBar (like fine art) is not for everyone and I wouldn't blame you one bit for uninstalling it.

  3. PrivBarX128 says:

    Will you publish source code this time?

  4. Max says:

    PrivBar is a great tool, I used the first version for several years on W2k3. Recently I had to reinstall the OS, I tried the recent version of PrivBar v1.1.0.2, but I can't get it to work.

    It registers successfully using regsvr32, and it shows up as enabled in the addon list of IE8.

    But there is no entry for it in the toolbars menu. Customize toolbar does not work either.

    Same story in Windows Explorer. Reboot does not help either.

    Any ideas?

  5. And says:

    Today WindowsUpdate (Win7 SP1 64bit) changed my IE9 into IE10 and PrivBar x64 green light is no more visible, although enabled in addon list. Any clue?

    [Aaron Margosis]  Tried on my Win7x64/IE10 and it works fine.  Press "Alt" to display the menu bar, choose View|Toolbars and make sure it's enabled.  Maybe disable and re-enable it to see whether that helps.

  6. And says:

    Also tried the new release 1.1.0.2 but still invisible in view|toolbars

    [Aaron Margosis] If you're on a 64-bit version of Windows, make sure you're registering both the 32- and 64-bit DLLs.

  7. And says:

    Just discovered that the Windows Update removed IE9/64bit and replaced it with IE10/32bit. Installing the 32bit release of PrivBar now I can activate in the toolbar and discovered the light is red although running through dropmyrights… I'll try to fix the IE 64bit issue first…

    [Aaron Margosis]  1) kind of – there's 64-bit in there too.  See Eric Lawrence's post here and then take a look at the process' bitness in Process Explorer.  2) It's red, and you're using DropMyRights?  I'm guessing that you've disabled UAC and are trying to replicate something akin to Protected Mode with an unsupported and mostly untested legacy tool that's almost ten years old.  I would highly recommend enabling UAC and letting Protected Mode do its thing.

  8. freggeln says:

    Does this solution work with Windows 8/8.1?

    Thanks in advance.

    [Aaron Margosis]  As currently published, it doesn't work when the current tab is in Enhanced Protected Mode.  I need to post an update that's compatible with EPM.