I’ve been spending a lot of time “getting to know” Internet Explorer lately, and one topic that I wanted to understand a bit more deeply is precisely how file and registry virtualization in protected mode works. If you look at the outcome of virtualization events, here is what you see:
|Protected Mode On||Protected Mode Off|
|Per-User Area||IE Virtualization Store||Per-User Area (no virt)|
|Per-Machine Area||Access Denied||UAC Virtual Store|
Here is what was interesting to me: with Protected Mode turned on, you never see the UAC virtual store. You either see the IE virtual store (which is separate, and redirects to an area marked for Low IL) or you see Access Denied. However, when you see Access Denied, is that because virtualization isn’t turned on for the process, or is that because it is turned on, it is trying to redirect, but it is denied access to the virtual store, because the virtual store is left with the default marking of Medium Integrity?
I wrote an ActiveX control, hosted in IE8, that attempts to write to HKLM. Here’s what happens.
I used Sysinternals Process Monitor to watch. First, I saw the process properties. It suggested that the process is running in Low IL, and that it has virtualization enabled. However, it’s possible (though not likely) that Mark got something wrong here, so let’s look at the behavior.
5:49:43.1526541 PM IEXPLORE.EXE 5212 RegOpenKey HKLM\SOFTWARE\Wow6432Node SUCCESS Desired Access: Read, Maximum Allowed
5:49:43.1526895 PM IEXPLORE.EXE 5212 RegCloseKey HKLM\SOFTWARE\Wow6432Node SUCCESS
5:49:43.1527112 PM IEXPLORE.EXE 5212 RegCreateKey HKLM\SOFTWARE\Wow6432Node REPARSE Desired Access: Maximum Allowed
5:49:43.1527539 PM IEXPLORE.EXE 5212 RegOpenKey HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node SUCCESS Desired Access: Read, Maximum Allowed
5:49:43.1528028 PM IEXPLORE.EXE 5212 RegCloseKey HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node SUCCESS
5:49:43.1528262 PM IEXPLORE.EXE 5212 RegCreateKey HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node SUCCESS Desired Access: Maximum Allowed, Granted Access: Read, Create Link
5:49:43.1528590 PM IEXPLORE.EXE 5212 RegCloseKey HKLM\SOFTWARE SUCCESS
5:49:43.1528927 PM IEXPLORE.EXE 5212 RegQueryKeySecurity HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node SUCCESS
5:49:43.1529239 PM IEXPLORE.EXE 5212 RegOpenKey HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Contoso NAME NOT FOUND Desired Access: Read, Maximum Allowed
5:49:43.1529490 PM IEXPLORE.EXE 5212 RegCreateKey HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Contoso ACCESS DENIED Desired Access: Maximum Allowed
And here we are – the reparse, right through the ACCESS DENIED. Looks like IE in protected mode does have UAC virtualization enabled. When you try to write to a protected location, it doesn’t fail because UAC virtualization is gone, it actually tries virt, but then fails because the virtualization location is a Medium IL location.
Not that this probably changes your life in any meaningful way, but it resolves a bit of an internal discussion we’ve been having where it was suggested that Low IL processes don’t get UAC virt. They do – it just doesn’t help them any! 🙂