Staying in Control of Your Default Search Provider

One of our guiding principles in Internet Explorer is to keep users in control of their browser. This applies to settings like the home page, enabled add-ons, and the default search provider. Sometimes, 3rd party software changes the consumer’s default search provider without their consent. Consumers may be surprised to see search results from an unfamiliar Web site and may not know how to change back to their previous default search provider. As we work with developers to ensure that they use the proper method to change the default provider, IE protects consumer’s choice with User Preference Protection.

We’ve made several enhancements to User Preference Protection in IE9 so it stays out of the way while you browse. In this post, we revisit the motivations for this feature and walk you through the changes that we’ve made in IE9. We also reiterate the guidelines and best practices for 3rd party developers to follow to change the default search provider properly in IE.

Search Provider Extensibility in Internet Explorer

The default search provider is an integral part of the browsing experience. IE9 displays search results from the default provider when you enter a search query in the One Box for the IE or pinned site window. The default provider is also your default search accelerator.

IE promotes user choice with search providers. In IE7 and later, Web sites can create and advertise their own search providers via APIs that support the OpenSearch Web standard. You can also find search providers through the IE Gallery and switch providers as they search in the One Box. You can change your default search provider in Manage Add-ons.

You can configure your search providers in Manage Add-ons
You can configure your search providers in Manage Add-ons

IE also provides APIs for 3rd party software to install new providers and to change the default provider. These APIs change the default provider only after confirming the user’s consent for the change. Using the APIs ensures that the software is following the Guidelines and Requirements for IE add-ons.

For example, when you install a 3rd party software application you will see the following dialog if you choose to change the default provider in the installer. IE does not need to be running for this dialog to appear.

You’ll see this dialog when 3rd party software changes the default search provider by following the Guidelines and Requirements for IE add-ons
You’ll see this dialog when 3rd party software changes the default search provider by following the Guidelines and Requirements for IE add-ons

This dialog shows you the name and publisher of the software that wants to change your default provider. The information is obtained from the software module calling the API. We designed the dialog to ensure user choice is respected. You must make a deliberate choice and to prevent you from inadvertently changing to the new provider if you skip through the dialog quickly. IE changes the default provider only if you make an explicit choice to do so on the dialog.

Some 3rd parties choose to change the default provider through modifying the registry value that stores the default. This is not a supported mechanism, does not follow recommended guidelines, and can lead to stability issues in the future. Most importantly, it doesn’t keep users in control of their search settings like the above API method. Users may end up having their search queries sent to an unknown Web site.

Furthermore, we’ve seen cases where multiple 3rd parties repeatedly modify the registry value to their own provider. This puts users even further out of control. This can lead to users uninstalling the 3rd party applications to prevent the applications from playing search provider roulette. This isn’t good for consumers or 3rd party application developers.

Protecting Search Provider Preferences in IE9

The User Preference Protection feature provides protection against 3rd party modification of the default search provider registry value. It informs you of changes to the value and lets you decide whether to accept the change or keep the current search provider. IE9 has several enhancements to this feature to further minimize interruptions when you browse.

Staying out of your way

Consider the following scenario where a 3rd party program tries to change your default provider to “Contoso Search” by modifying the default provider registry value. Once IE9 detects a change in the registry value, it respects your previous choice and reverts back to the original default provider immediately. In the picture below, notice how your default provider remains as Fabrikam even though the Contoso Search provider is installed (third icon in the list).

IE reverts back to your original provider when a 3rd party program tries to change it through the registry
IE reverts back to your original provider when a 3rd party program tries to change it through the registry

Instead of displaying a modal dialog requiring you to make a decision, IE9 displays the following notification:

Notification warning that an unknown program would like to change your default search provider.

If you didn’t intend to change your default provider you can also ignore the notification. The URL that IE displays in the notification is the top level domain of the search results page that the provider will navigate to when you use it. Displaying this information protects you from spoofing attacks. Finally, since IE is unable to tell which program changed your default, the notification makes it clear that the change is from an “unknown program.”

One opportunity to be the default

We addressed the search provider roulette problem in IE9 by minimize the number of notifications you’ll see about changing the default. When you choose not to change the default search provider through the above notification, IE will never ask you about changing the default to that provider again.

This behavior only applies when default providers are changed via the registry. For example, if you select “Don’t change” in the above usage scenario, IE no longer notifies you about changing the default to Contoso Search if it continues to be modified in the registry. But if the 3rd party program uses the API to set the default to Contoso Search, you will see the above dialog properly. You’ll also be able to change the default provider yourself through Manage Add-ons as described earlier.

Looking Ahead

The User Preference Protection feature in IE9 continues to prevent 3rd party programs from changing the default search provider without users’ explicit approval. The improvements introduced in IE9 ensure that IE stays out of the way and minimizes repeated interruptions during browsing while protecting user’s choice. For example, if users don’t act on the notifications, IE will never change their default provider.

In general, we discourage developers from setting the default provider through modifying the registry. It’s against our stated guidelines and is an example of unsupported extensibility that may lead to compatibility issues with IE in the future. If developers follow the add-on Guidelines and Requirements, users should never see User Preference Protection in action.

Developers should use the supported APIs that we introduced in IE8 to set the default. This ensures that users stay in control of their search provider setting. You can consult this article to review the best practices in detail.

—Herman Ng, Program Manager, Internet Explorer

Comments (7)
  1. I've added a line for IE8+ on…/OpenSearch_search_clients – feel free to fix this info, it's a Wiki.

  2. JustMe says:

    In the future, I wonder if it would be useful for the registry change detected message to read "An unknown and possibly malicious program …" instead of just "an unknown"? Perhaps even "A possibly malicious program…"? I know that this might cause some users a bit of anxiety, and might incite some bad developers, but from what I've seen in tech support it's the truth. Possibly there are downsides to this that I haven't thought of though. m(_ _)m

  3. Anon says:

    Does the Windows Live Essentials installer suite uses this official way of setting my search provider to Bing? It seems not. And why doesn't it ask for my explicit permission to change my home page or search provider? It has a checkbox but it is selected by default. Unlike what your recommendations and guidelines above state.

  4. Anon says:

    It seems to me that you intentionally made the search provider selection process cambersome so that users will stay with Bing and not switch to Google. To change my provider I have to guess that it is done through a differently-sounding name of a dialog box called Add-ons instead of Search Provider Preference or something similar. I have to click through to a website. Don't you know that users hate visiting external website as they take time to lad and they will click away because of that? Then I have to find the provider and click it, again cambersome as I have to scroll etc. Then I have to confirm it. Again another unnecessary step. Why didn't you simply provide a list view control with all the information that is available on your website which caches its information so that it can work even offline but updates its information through a web service? And why didn't you place such a list view control within a simple and easy to reach button or menu choice instead of hiding the functionality into the add-ons dialog box? List view controls are ideal not a website gallery.

  5. Richard says:

    Shame you decided to break the opensearch discovery feature for IE9 and delete all the related bug reports from Connect. Now, a feature which worked in IE7 and IE8, and which still works in Firefox and others, does nothing in IE9.

  6. Rob says:

    Herman…. SearchHook hijacking is still occurring…. eg… user says they are redirected to their ISP's search page when they mistype a url, even though they have set goooooooooogle as their default search provider.

    Users can only reset the default search hook provider (MS), by doing a RIES. This can be reinstated the next time IE starts and a satellite BHO makes the registry entries. IE 10 should ignore entries in the SearchHook registry key and only use the MS Search Hook.

  7. Ken says:

    Could you make the "Manage Add-ons" GUI a little more confusing and bad? Specifically the lower 1/2. I can almost figure out what's going on, so you should fix that.

Comments are closed.

Skip to main content