What does ielowutil.exe have to do with Internet Explorer 8.0?


Hi everyone!

 

Let’s start off by providing a little history around the challenges seen with Protected Mode and Internet Explorer (first introduced with Internet Explorer 7).  In Microsoft Windows Vista, Windows Internet Explorer 7 runs, by default, in Protected Mode.   This helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user’s machine or to install malicious code.

 

Protected Mode IE separates the temporary/persistent data that IE saves from regular LUA (Limited User Account) IE and elevated IE. This is to prevent cross IE injection paths, keeping users secure. However, one of the most significant application compatibility issues remaining with Internet Explorer’s Protected Mode and the low integrity architecture is sharing of cookie data between low and higher integrity processes.

When using winINET APIS, a low process like IE’s Protected Mode can only create and manipulate cookies in the low integrity cookie store: \%USER PROFILE%\Cookies\Low. Similarly, medium integrity (or higher)processes like most applications running on Vista can only create and manipulate cookies in the medium integrity cookie store \%USER PROFILE%\Cookies. As a result, applications that rely on IE to download and share cookies are broken because they do not automatically have access to IE’s cookies.

Here’s an example compatibility issue:

Contoso Networks ships a VPN appliance that connects clients to a server through an SSL connection. Users browse to their company’s SharePoint server through Contoso’s SSL VPN.

When the user logs-in, the server sends back a cookie, which gets stored in Protected Mode’s low integrity cookie folder. Office apps like Word can’t find the cookie since they’re running with medium integrity and can only see the medium integrity cookie folder. As a result Contoso adds their servers to IE’s Trusted Sites list so that they won’t run in Protected Mode and cookies will be downloaded to the medium integrity cookie folder. They’d prefer not to add their sites to the Trusted Sites list.

To work around this issue some vendors ship Browser Helper Objects (BHOs), which run in IE, get a downloaded cookie, and share it with their higher integrity application. This approach is not optimal for two main reasons:

  1. BHO’s have a negative performance impact to the browser and
  2. Based on historical data, 3rd party binary code running in the browser is the top cause for reliability and security problems.

Another workaround is to add the websites that write cookies into IE’s Trusted Sites list so that they run out of Protected Mode and write to the medium integrity cookie store. This is not a viable option in many cases, in live messenger for example, the URL is a link that users send to their buddies, adding this to trusted sites to the buddy is not an expected or desirable outcome.

Fortunately, the behavior changes available with installation of Internet Explorer 8.0 provides a much better solution for sharing cookies across integrity level using the IELowUtil.exe process.  IE 8 takes advantages of two new APIs for getting and settings cookies that can be shared across integrity levels:

The the above functions call the standard InternetGetCookie() and ExInternetSetCookieEx() functions from a higher-integrity user context to retrieve or create a cookie with a specified name that is associated with a specified URL.  The signature and behavior of these two APIs will match the winINET APIs:

Reference:

Protected Mode Internet Explorer Reference

 

So the short answer is that IELowUtil.exe is the broker process that handles operations which require processing at a Low Integrity level.  Hopefully this was informative and provides a historical reference regarding this behavior change.

Regards,

The IE Team

Comments (25)

  1. Svercek says:

    Great description. I have an Outlook Addin and am trying to use the IEGetProtectedModeCookie function without success. The app is written in VB6. The declaration & code is listed below. I am getting an error saying the entry point cannot be found. Any suggestions?

    Private Declare Function IEGetProtectedModeCookie Lib "ieframe.dll" _

      Alias "IEGetProtectedModeCookieA"_

       (ByVal lpszURLName As String, _

       ByVal lpszCookieName As String, _

       ByVal pszCookieData As String, _

       pcchCookieData As Long, _

       dwFlags As Long) As Long

    lReturn = IEGetProtectedModeCookie("http://www.jcstechnologeis.com", "", strBuffer, CkSz, 0)

  2. Johnson Programming says:

    Great description. As a suggestion, placing the short answer at the top might satisfy the reader’s initial curiosity.

  3. Jeff Thompson says:

    I am running win7 64 bit on a 2.6 intel dual core processor. I have encountered an unusual problem that has forced me to start using firefox instead of ie, every time I start ie, ielowutil.exe starts and ielowutil.exe is using about 50% of my processor, and when it starts, ie is using about 50% of my resources as well. needless to say, that makes everything come to a screaching hault and I was having to go into task manager and shut them both down. Now ielowutil.exe is still starting up ocationally for some reason, so I need to go into task manager 2-3 times a day and turn it off … help

  4. CoolRaoul says:

    On my PC, when I log in there is a msfeedsync process that starts. It creates a IELowutil.exe sub-process.

    When msfeedsync terminate, IELowutil keeps running (although no IE process has been launched)

    Why?

  5. Jokkers says:

    Running Win7 RTM x64

    I just stumbled upon this in my process list.

    Cant remember i’ve seen it before. the process name "ielowutil.exe" and the description "Internet Low-Mic Utility tool"

    The program is found here "C:Windowswinsxsx86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.7600.16385_none_2106a98149904819"

    Lately my IE has been running a bit slow… anyho …. MBAM, Microsoft Security Essentials and Spybot have all "cleared" my computer. ….

    This doenst add up for me… Low-Mic Utility tool??? For IE??

    Someone with an explanation for me?

  6. after installing W7 family I receive pop up error messages :

    ielowutil.exe

    internet low-mic utility tool

    "This application has requested the runtime to terminate it in an unusual way.

    Please contact the application’s support team for more information."

    I do not understand the problem and, obviously, don’t see how to cure it.

    Thanks for your help

    Michel

  7. Martin Drew says:

    I am getting exactly the same error message as Michel Aronssohn. I have had it ever since I installed W7 on 19th October. Because I have been busy I have ignored it, but today thought I would try to sort it, but without success. Any ideas anyone?

  8. I’m getting the popup error too, and I’m not using IE.

    Taskbar icon: The normal IE 8 icon

    Window title: Microsoft Visual C++ Runtime Library


    Runtime Error!

    Program: C:Program Files (x86)Internet ExplorerIELowutil.exe

    This application has requested the Runtime to terminate it in an unusual way.

    Please contact the application’s support team for more information.


  9. Mike C. says:

    I have an odd situation whereby ielowutil.exe (Program Files (x86)) is apparently called by Windows Explorer, yet I always use the 64 bit version of IE8. BTW, the ielowutil.exe application is not digitally signed, as the iexplore.exe applcation IS digially signed. I think this is a hack of some kind, and if so, apprently I’m the only one who doesn’t have a way to contact Microsoft and let them into my computer to see what exactly is going on.

  10. Mike C. says:

    To clarify, msfeedssync appears to be the "Parent" object calling ielowutil.exe and it calls the 32 bit which I do_not_want_running_under_any_circumstances_period. Is there a way to force this to use the 64 bit version of the file?

    I mean, why is there a 64 bit version of this file if it is never used?

    If I had had to code that, I would be very upset it wasn’t called when the 64 bit browser is opened.

  11. Reggie Smith says:

    You notice that the last question, which is the only really IMPORTANT question on this entire thread, remains unanswered? Freaking Microsoft. Please stop hiring idiots without asking me first. Thank you.

  12. Uddhav Regmi says:

    I have been windows user since last 20 yrs….

    I have never seen IE crashing in more often than before….

    what is going on  ?

    I have Vista 64 bit – windows Home Prem

    I have all the latest patches till date from MS

    I use Norton Internet Security 2010

    I use CCleaner

    I use Auslogic fast defrag….

    But it is not helping…..

    I have Windows Defeder….

    IE is crashing in Protection Mode….Protection Mode is  *************************   NOOOOOOOOTTTTTT  ********* working…..

    Either IE is not filtering all the http tunnel or something is going on…..

    Specially I notice this since last 7,8 months…..

    I have Quad Core 3 GZ HP machine with 5gb of RAM and  5MB downlaod and 640k  upload internet….so,  it is pretty fast….

    The SATA drive are 7200RPM drive….

    So,  when I open multiple IE session and when I close it…..even with 2…..it is crashing…..

    Either IE is not processing fast  or is not stopping the tunnel or pipe when close ( cross ) buton is pressed…..something goingon……

    I’m ready to help Microsoft if I need to collect any data…..

    Please help me…..

    I’m in US…..

    If you are interested let me know

    uregmi111@gmail.com

    Few suggestions

    a)  keep track of all the programs which IE uses, like flash  or any other ……or any code which runs from IE……we need to monitor that massively……updating IE and patch fix  – thats a generation old technology will not help……

    b) We need special pipe by pipe –  layer by layer  firewall specially for IE…..what actually is coming from  http or other….not any….as these days – …..we need massive development on this……

    Otherwise, I’m telling you   ………………  IE will be gone one day……

  13. Mike C says:

    I’ve got gigs and gigs of dump files and network captures and video of the screen showing this is some kind of vulnerability.

    The thing that should concern Windows users is I am disabled and suspect I’m being hacked and Microsoft says they don’t patch until some threshold of hacking / expoiting is met.

    Yes, Reggie – a legitimate question about process handling / creation, simple yet technical enough for these people to understand seems ignored. I won’t say they are idiots, but I will say they don’t appear to care too much about the customers who purchase their software and thus pay them their wages.

    The more time passes, the more I support Charlie Miller telling Microsoft to find Windows bug on their own. I want $10,000 for the one I found and posted here like Charlie Miller gets.

  14. Mike C says:

    Oh, and I’ve got more than just this one bug to report. Microsoft can BEG me for the data I have.

    im_afk [where?] yahoo.com

    I check that once per week.

  15. Windows 7 warned me that the ielowutil.exe has caused a delay while putting the computer to sleep.

    I checked the events log and I can see multiples references to that executable.

    This application caused a delay during standby:

        File Name : ielowutil.exe

        Friendly Name : Internet Low-Mic Utility Tool

        Version : 8.00.7600.16385 (win7_rtm.090713-1255)

        Total Time : 3531ms

        Degradation Time : 2531ms

        Incident Time (UTC) : ‎2010‎-‎04‎-‎14T12:18:38.370517800Z

    This Windows installation is fresh (April 6). I am not using IE as my main browser.

  16. Richard says:

    I am puzzled with BHO's! If Microsoft is claiming BHO's are not optimal and provide a possible security risk then why is Bing Toolbar by Microsoft using BHO?

  17. C Riches says:

    ielow util is a right pain,  I am running windows7 pro 64bit, on a dual core athelon processor with 8 gig am.

    1Tb hdd and 1Gb graphics card.

    I have to go into task manager to stop this processes every time i open more than one tab in Explorer.

    I want to delete this file, but sodding windows won't let me.

    how can I delete it?

    please help

  18. C Riches says:

    ielow util is a right pain,  I am running windows7 pro 64bit, on a dual core athelon processor with 8 gig am.

    1Tb hdd and 1Gb graphics card.

    I have to go into task manager to stop this processes every time i open more than one tab in Explorer.

    I want to delete this file, but sodding windows won't let me.

    how can I delete it?

    please help

  19. Ozzy_98 says:

    C Riches

    Don't delete that file, re-read what it does in this blog.  If you have to close it for some odd reason, then your install is fobar'ed, and you should reimage.

    Mike C

    You also sell bridges in new york, don't you?

    F Scheltens

     IE and Chrome are the only two browsers I know of that use MIC levels.  If the program doesn't use the file, then it's not going to "clutter" your system.  Even programs loaded are not clutter; if they're not called, then they will be swapped out of physical ram at some point anyways, so there's no performance gain by having a "clutter free" system.  You need to focus more on removing all the extra active applications that so many people use.

  20. Kel says:

    PID: 4640 (4812) C:Program Files (x86)Internet ExplorerIELowutil.exe

    size: 115712

    HELLO ?  i don't even use IE at all i use Chrome, so it must be locked in a hmm background file and take up space like what's his name up there said – unless it is meant for running Windows Vista i highly doubt we need it if we don't use IE, it's left over so when you click on something with IE mentioned it will automatically relog you with ie instead of firefox etc. chrome

    yeah so when will i know someone is gonna read mine?

    Kel

  21. AxelRMSFT says:

    @Kel  

    I would suggest using Process Monitor (technet.microsoft.com/…/bb896645.aspx) and Process Explorer(technet.microsoft.com/…/bb896653.aspx) to help you identify what else maybe using these in your Operating System if you have ruled out Iexplore.exe. Malware or other applications could be at fault and perhaps you are dealing with a virus or malware making protected mode to work harder. I suggest using Microsoft Security Essentials(FREE) http://www.microsoft.com/…/details.aspx

  22. Ken Volz says:

    IELowuti.exe keeps appearing on my screen with the notation unable to start the application???
    Anyone know what is going on, like a malware attack. I do run Win 10 in protected mode.

    1. AxelRMSFT says:

      @Ken Volz
      Check for Add-ons and see if one of those is invoking your scenario.
      You can start IExplore without Add-on and see if that helps.
      When looking at the process from Task Manager, right click on it and see where is the path for the process. It should fall within the IE Folder location.
      C:\Program Files\Internet Explorer
      C:\Program Files (x86)\Internet Explorer

  23. Alex Zajac says:

    See, this explanation is missing a key piece of information. IELowUtil.exe is the file name for the Internet Low MIC Utility, where MIC in turn refers to “Medium Integrity Cookie”, not “microphone”. A huge number of people freak-out and think that this is spyware, not a mundane driver for cookies.

Skip to main content