New API Smoothes Extension Development in Protected Mode

As extension developers write their code to work in Protected Mode IE7, we’ve received some feedback that points out challenges with upgrades or installer changes that require users to close and restart IE. Yesterday, we shipped a new API that will help developers address this problem.

With Protected Mode Internet Explorer, we introduced the idea of elevation policies - a series of registry keys and values that tell Protected Mode how to handle elevation for a specific extension’s broker process. Protected Mode normally runs the Internet Explorer process with lower privileges. In general, extensions should operate as low integrity processes. However, some extensions require access to medium or high integrity objects. Because of this, extensions can be configured during installation to run with a higher privilege level by creating an elevation policy that is associated with them in the registry. To learn more about integrity levels, broker processes, and how to work in Protected Mode, visit the MSDN Internet Explorer Development Technical Article on the topic.

Prior to this new API, whenever an extension installer modifies or adds to the elevation policy outside of the currently running Internet Explorer process, the installed registry changes are not reflected as part of that process. To end the current process, Internet Explorer needs to be closed and restarted. On restart, Internet Explorer is then able to pick up the new policy from the registry. I should note that this behavior only applies to extensions running within Protected Mode.

As part of the IE June Security Update we shipped yesterday, we’ve helped reduce the challenges developers faced with elevation policy. Extension developers can now eliminate the need to manually end and restart the IE process to refresh elevation policies whether it is part of an upgrade or an addition to their current installer’s elevation policy.  By calling the IERefreshElevationPolicy APIas part of your extension installer, the need for ending and restarting Internet Explorer is removed.

MSDN documentation is now available for the IERefreshElevationPolicy API with all of the necessary details to implement it effectively.

For a quick example of what this would look like in code, here is a sample of how to use the API:

HRESULT RefreshPolicies()
{
HRESULT hr = E_NOTIMPL;
HMODULE hDll = LoadLibrary(L"ieframe.dll");
if (NULL != hDll)
{
typedef HRESULT (*PFNIEREFRESHELEVATIONPOLICY)();
PFNIEREFRESHELEVATIONPOLICY pfnIERefreshElePol = (PFNIEREFRESHELEVATIONPOLICY) GetProcAddress(hDll, "IERefreshElevationPolicy");
if (pfnIERefreshElePol)
{
hr = pfnIERefreshElePol();
} else {
DWORD error = GetLastError();
hr = HRESULT_FROM_WIN32(error);
}
FreeLibrary(hDll);
} else {
DWORD error = GetLastError();
hr = HRESULT_FROM_WIN32(error);
}
return hr;
}

Jeremy Dallman
Program Manager

Sharath Udupa
IE Developer

edit: Add Sharath Udupa as post author