New API Smoothes Extension Development in Protected Mode


As extension developers write their code to work in Protected Mode IE7, we’ve received some feedback that points out challenges with upgrades or installer changes that require users to close and restart IE. Yesterday, we shipped a new API that will help developers address this problem.

With Protected Mode Internet Explorer, we introduced the idea of elevation policies – a series of registry keys and values that tell Protected Mode how to handle elevation for a specific extension’s broker process. Protected Mode normally runs the Internet Explorer process with lower privileges. In general, extensions should operate as low integrity processes. However, some extensions require access to medium or high integrity objects. Because of this, extensions can be configured during installation to run with a higher privilege level by creating an elevation policy that is associated with them in the registry. To learn more about integrity levels, broker processes, and how to work in Protected Mode, visit the MSDN Internet Explorer Development Technical Article on the topic.

Prior to this new API, whenever an extension installer modifies or adds to the elevation policy outside of the currently running Internet Explorer process, the installed registry changes are not reflected as part of that process. To end the current process, Internet Explorer needs to be closed and restarted. On restart, Internet Explorer is then able to pick up the new policy from the registry. I should note that this behavior only applies to extensions running within Protected Mode.

As part of the IE June Security Update we shipped yesterday, we’ve helped reduce the challenges developers faced with elevation policy. Extension developers can now eliminate the need to manually end and restart the IE process to refresh elevation policies whether it is part of an upgrade or an addition to their current installer’s elevation policy.  By calling the IERefreshElevationPolicy API as part of your extension installer, the need for ending and restarting Internet Explorer is removed.

MSDN documentation is now available for the IERefreshElevationPolicy API with all of the necessary details to implement it effectively.

For a quick example of what this would look like in code, here is a sample of how to use the API:

HRESULT RefreshPolicies()
{
    HRESULT hr = E_NOTIMPL;
    HMODULE hDll = LoadLibrary(L”ieframe.dll”);
    if (NULL != hDll)
    {
        typedef HRESULT (*PFNIEREFRESHELEVATIONPOLICY)();
        PFNIEREFRESHELEVATIONPOLICY pfnIERefreshElePol = (PFNIEREFRESHELEVATIONPOLICY) GetProcAddress(hDll, “IERefreshElevationPolicy”);
        if (pfnIERefreshElePol)
        {
            hr = pfnIERefreshElePol();
        } else {
             DWORD error = GetLastError(); 
             hr = HRESULT_FROM_WIN32(error);
         }
        FreeLibrary(hDll);
    } else {
       DWORD error = GetLastError(); 
       hr = HRESULT_FROM_WIN32(error);
    }
    return hr;
}

Jeremy Dallman
Program Manager

Sharath Udupa
IE Developer

edit: Add Sharath Udupa as post author

Comments (27)

  1. so glad says:

    So glad that other languages decided not to use/recommend or enforce the use of Hungarian Notation!

    My god that is unreadable code!

  2. Edwin Martin says:

    Why do you think Microsoft needed 5 years to add some features to XP (called Vista).

  3. in a real language/API says:

    So, why no simple API like:

    if ( IEElevationPolicyChangeRequired( ) ) {

     IERefreshElevationPolicy();

    }

    seems so simple…

    or better yet, just call:

    IERefreshElevationPolicy();

    and have this method do the check to see if req’d.

    ho hum.

  4. Lionel says:

    [quote]

    or better yet, just call:

    IERefreshElevationPolicy();

    and have this method do the check to see if req’d.

    [/quote]

    Well, actually, the sample code reduces to

    IERefreshElevationPolicy();

    plus:

    * error checking

    * run-time checking whether the API is present (since the program could be running on unpatched Vista, or even possibly older Windowses).

  5. Complete unrelated to this post but when are you guys going to respond to the IE7 is slow compared to Safari/Firefox?

  6. IE7の中からのプロセスの作成 その5 – Windows Vista/Internet Explorer 7

  7. luc says:

    @Edwin Martin

    Windows Vista developed from Windows Server 2003 code and NOT XP

  8. We are a plug-in vendor. We need the plug-in (OCX file installed via CAB) running in IE 7 in protected mode to be able to create a folder and write files into that folder on the user’s Desktop or another location specified by the user. Currently, these folders/files are written to a virtualized location which is very confusing for users. Is there an API to do this?

  9. Dave Massy says:

    Vlad,

    Take a look at the article at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp and specifically the section on "Saving Files to the User Profile" which should help.

    Thanks

    -Dave Massy

  10. Anders Borum says:

    The code sample is so ugly my eyes started bleeding upon reading the first line ..

    Not sure if it’s correct code, but it sure ain’t pretty.

  11. Jerry Mead says:

    IE7 on XP error with this API is noted here:

    http://www.profundis.co.uk/peteblog/PermaLink,guid,01eec8dc-9833-445f-99fd-e9eb0a263147.aspx

    Dave Massy, posting here? … haven’t you got anything better to do? Oh, hang on:

    "Yes there’s a second child on the way"

    so I guess the answer’s yes 🙂

    Fantastic.

  12. Jeremy Dallman [MSFT] says:

    @Jerry Mead: Protected Mode (and this API) is not supported on XP.

  13. Jerry Mead says:

    @Jeremy

    >> Protected Mode … is not supported on XP <<

    Actually, J, I probably knew that already.

    Did you not read Pete’s note, linked to in my comment FYI?

    "Small problem. If you run this code on Windows XP with patched IE 7, the API will be found (fair enough) but fails with the completely crazy error code 0x80070539. This might mean ERROR_INVALID_SID (surely not) or perhaps something else. Why wouldn’t E_NOTIMPL do?"

    His comments are open for your answer.

  14. Dave Massy: I’ve read the documentation but I am still not getting the full picture – sorry. From the docs, I gather we need to write to /Internet Explorer/Low Rights/ElevationPolicy and set Policy to 3. Is AppName = IEUser.exe? Also, the IESaveFile is for writing files. What about creating folders?

  15. Roland (Add-on developer) says:

    Vlad Alexander: You must create an additional broker .exe. When you need to write to the folders, ShellExecute the broker .exe from within your component. The broker can then access the folders.

    IE will display a security warning by default before starting the broker .exe because the broker will run out of IE’s Protected Mode. However, if you add the elevation policy settings for the broker .exe to the registry, IE will no longer display security warnings and run the .exe silently. Thus, AppName = the name of your broker .exe.

  16. Josh Stodola says:

    IE7 totally sucks, it consistently freezes up my state-of-the-art machine EVERY TIME I USE IT.  Sometimes my favorites disappear, as well (that is, if the favorites menu even opens!).  Thanks for releasing this slow piece of junk, Microsoft.  

  17. Josh Stodola says:

    Oh yeah, I click an RSS feed and i get a blank white frozen screen for at least 30 seconds.  Then all of a sudden everything appears.  I should be getting paid to use this piece of garbage!  Im not a Firefox/Opera fan either, I am all pro IE.  I have always used it.  Why did you release this crap?!

  18. luc says:

    I noticed a speed improvements in IE7 for Vista, after I applied this patch

  19. - says:

    Status update on the public bug tracking system please.

  20. Jesse L says:

    Congratulations to you and your wife Dave!

    And thanks to Team IE for the added flexibility.

    Yo-ho-ho!

  21. EricLaw [MSFT] says:

    @Josh Stodola: Have you tried running IE7 without extensions?  Buggy add-ons are the top source of problems.  See http://enhanceie.com/ie/troubleshoot.asp for a step-by-step guide to finding the addon causing your issue.

  22. glen says:

    I see that Microsoft is making new fans with IE7! *NOT*.

    http://blogs.ittoolbox.com/c/programming/archives/javascript-myself-to-death-meet-the-ie-7-stupid-bar-17070

    What is the fix to get the stupid security warning bar/popups to stop for a domain/IP that you specify.

    In particular, localhost, 127.0.0.1, 192.168.100.x etc.

    Thanks.

  23. jerry says:

    Actually, for blocking/allowing JavaScript (don’t even get me started with the "Active Content" moniker that caused half this mess in the first place), is there an options window like the one for cookies?

    If not, can you please add one (backported to IE7) for:

    – JavaScript

    – ActiveX

    – Java

    Please, for the love of Pete, DO NOT group them together.

    screenshot of the privacy dialog for cookies, that needs to be copied for JavaScript, and again for ActiveX, and Java.

    http://img505.imageshack.us/my.php?image=sitebasedblockorallowar3.png

    jerry

  24. EricLaw [MSFT] says:

    @glen: The security-related Information Bars are shown to prevent malicious content from infecting your computer.

    If you view only content you trust on your local computer, click Tools / Internet Options / Advanced, scroll down to the Security section.  Check "Allow active content to run from My Computer".

    For attack surface reduction reasons, it’s not recommended that you browse the web at large with that box checked.  

  25. Mike says:

    How about international guidelines, so that Third Party developers can avoid making the mistakes that Microsoft seems to be committed to repeating? For example: http://blogs.msdn.com/michkap/archive/2007/01/25/1526224.aspx

  26. Fduch says:

    @Eric

    The bars say "The page wanted to do SOMETHING(we won’t tell you!). Do you want to let it do SOMETHING and see what will happen?"

Skip to main content