Understanding Enhanced Protected Mode


Last week, Andy Zeigler announced the introduction of Enhanced Protected Mode (EPM) over on the IEBlog. In today’s post, I’d like to provide further technical details about EPM to help security researchers, IT professionals, enthusiasts, and developers better understand how this feature works and what impact it may have on scenarios they care about.

Internet Explorer’s Process Model and Bitness

For the past several releases, Internet Explorer has sported a multi-process architecture, where the “Frame” or “Manager” process runs at Medium Integrity and the “Tab” or “Content” processes run at either Low Integrity (Protected Mode) or Medium Integrity (for Zones where Protected Mode is disabled, like Intranet sites). All HTML content and ActiveX controls run in the Content Process. Even toolbars, which visually appear as if they’re in the Manager Process, really run down in a Content Process.

For IE10, we’ve changed IE such that Manager Processes always run as 64bit processes when running on a 64bit processor running a 64bit version of Windows. This improves security among other things. We do not expect that this change will meaningfully impact compatibility, because the Manager Process is designed not to run 3rd party content, and thus there’s little opportunity for anyone to take a dependency upon the Frame Process’ bitness. In support of this change, the various registry points that point to Internet Explorer have been updated to point to C:\Program Files\Internet Explorer\iexplore.exe. If you manually invoke C:\Program Files (x86)\Internet Explorer\iexplore.exe, that 32bit process will simply launch the 64bit version of iexplore.exe (with the appropriate command line parameters) before exiting.

For the Content Processes, the story is a little more complicated. In the Metro-style experience of Internet Explorer, all Content Processes will run at 64bit (on Win64), which means that they benefit from the improved security provided in 64bit. The compatibility impact is minimal because Metro-style IE does not load any browser add-ons (Toolbars, BHOs, and non-browser-platform COM objects like MIME Handlers, URLMon Protocol Handlers, MIME Filters, ActiveX controls, etc). Back in IE9, running in 64bit mode meant that JavaScript was not JIT-compiled, but for IE10, the JIT compiler was enhanced to work for both 32bit and 64bit tabs, providing great performance in both. Additionally, many major browser add-ons like Flash, Silverlight, and Java are now available in 64bit versions.

In Internet Explorer on the Desktop, by default, Content Processes remain at 32bit by default for compatibility with 32bit ActiveX controls, Toolbars, BHOs, etc. Even when you directly launch the 64bit iexplore.exe executable, you will still have a 64bit Manager Process that hosts only 32bit Content Processes. If you want to enable 64bit Content Processes for the Desktop, you must tick the Enable Enhanced Protected Mode option in the Security section of Internet Explorer’s Tools > Internet Options > Advanced tab. When this option is enabled, all Content Processes that are running in Protected Mode (e.g. Internet Zone and Restricted Zone, by default) will begin to use 64bit Content Processes.

Note: In the Windows 8 Release Preview, if you enable Protected Mode for the Local Intranet and Trusted Zones, even if you enable EPM, the Intranet and Trusted Zones will run in 32bit LowIL rather than a 64bit AppContainer.

enableepm

In the upcoming Internet Explorer 10 on Windows 7 and Windows Server 2008R2, the only thing that enabling Enhanced Protected Mode does is turn on 64bit Content Processes. But, when running on Windows 8, the EPM option provides even more security by also causing the sandboxed Content Process to run in a new process isolation feature called “AppContainer.”

Intro to AppContainer

Windows Vista introduced the concept of Integrity Levels. The default integrity levels used by applications (Low / Medium / High) constrained what parts of the system could be written (e.g. registry keys, files, etc) and how applications could communicate or share data. Notably, in most circumstances, Integrity Levels were “Allow Read-Up; Block Write-Up” meaning that even a Low Integrity process like an IE tab would have full read-access to the rest of the disk and registry even those locations which were marked as Medium or High integrity.

Windows 8 introduces a new process isolation mechanism, called AppContainer, that offers more fine-grained security permissions and which blocks Write and Read Access to most of the system. There’s not a lot of documentation specifically about AppContainer because all Metro-style applications run in AppContainers, so most of the documentation is written from that point of view. For instance, here’s a page that describes the capabilities that a Metro-style application can declare that it needs: http://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx. Under the covers, it’s the AppContainer that helps ensure that an App does not have access to capabilities that it hasn’t declared and been granted by the user.

IE Tabs and AppContainer

Tabs running in Enhanced Protected Mode on Windows 8 run inside an AppContainer. On Windows 7 and Windows Server 2008 R2, AppContainer does not exist, so EPM only enables 64bit tabs on a 64bit OS. (That also means that enabling EPM on a 32bit Windows 7 system doesn’t do anything, because a 32bit Windows 7 system supports neither 64bit nor AppContainer).

On Windows 8, Metro-style IE’s tabs in the Internet and Restricted Zone run in Enhanced Protected mode, while tabs in other zones run in 64bit only. You cannot disable EPM for Metro-style IE except by turning off Protected Mode entirely.

By default, Desktop IE’s tabs run in the Low Integrity Protected Mode at 32bit. Only if you enable Enhanced Protected Mode using the Internet Options control panel will Desktop IE’s tabs run in AppContainer (and 64bit, if available).

IE’s AppContainer

Internet Explorer’s EPM-mode tabs run in an AppContainer named windows_ie_ac_001. In the Windows 8 Consumer Preview release, this container declares the capabilities internetClient, location, and sharedUserCertificates.

Notably, the container does not specify internetClientServer, privateNetworkClientServer, enterpriseAuthentication, or any of the *Library capabilities, which means that Internet content runs in a tightly-limited process.

AppContainer - Network Restrictions

AppContainer introduces three key restrictions related to Network Connectivity that impact EPM. I’ll describe each.

Acting as a Network Server is Blocked

Because EPM’s AppContainer does not have the internetClientServer capability, there’s no way for an EPM process to accept inbound connection attempts from the network. Typically, such connections weren’t possible in the Web Platform anyway (e.g. there's no JavaScript method to listen() on a new TCP/IP socket), but some browser add-ons had the capability of allowing inbound connections (even though this became pretty uncommon with the broadscale deployment of firewalls). When EPM is enabled, such add-ons will not be able to accept remote connections.

Loopback-blocked

Apps running in AppContainer are not allowed to make connections to locally-running processes outside of their own package. This means, for instance, if you run a local developer instance of Apache or IIS on your own computer, you will find that Metro-style applications are unable to connect to that server. This also means that by-default, you cannot use Fiddler to debug Metro-style applications, because Fiddler acts as a proxy server on your local computer. To unblock Fiddler users, I’ve published a simple utility that allows users to remove the Loopback Restriction on the AppContainers of their choice; you can also use this utility to allow your App or MetroIE to contact a locally-running web server for development purposes.

image

Please note that Windows Store-delivered applications will not be permitted to set a loopback exemption for themselves, so this is only useful for test/development purposes.

Now, one key thing to understand about Loopback connections in Metro-style Internet Explorer is that the Hostname you use in your URL matters a lot! If you try to navigate to http://127.0.0.1/, your page will be treated as an Internet Zone and thus will run in an EPM tab, and the loading of the page will be blocked by the AppContainer’s Loopback-block-- you’ll see a Page Could Not Be Displayed error page.

However, if you instead try the URL http://localhost/ (assuming your Intranet Zone is enabled), you will find that Internet Explorer considers your content to be Local Intranet Zone, and thus it is loaded in a Medium Integrity (non-Protected Mode) tab. The page will successfully load since it is not running in EPM, and thus isn't blocked by the network restrictions provided by AppContainer.

Private Network resources

Because EPM does not declare the privateNetworkClientServer capability, your Intranet resources are protected from many types of cross-zone attacks (usually called “Cross-Site-Request-Forgery (CSRF)” and “Intranet Port Scanning.”) Internet pages are not able to frame Intranet pages, load images or resources from them, send them CORS XHR requests, etc.

However, it’s important to understand how this restriction functions, because it can have some very surprising outcomes depending on how your Internet Explorer Security Zones are configured.

For instance, many of us have a home router with a configuration UI accessible at http://192.168.1.1 or a similar address that is not globally-routable. On one hand, it’s desirable to prevent Internet content from sending requests to such addresses to help block CSRF-attacks that might maliciously reconfigure poorly-secured routers. However, for historical and other reasons, Security Zones consider this dotted hostname to be an Internet-Zone address by default, which means that if you attempt to navigate to the Router configuration page in Metro-style IE, you may encounter a Page Cannot Be Displayed error page. If you enable EPM in the Desktop mode of the browser, you can use the F12 Developer tools to see why the request was blocked:

EPMOnFails

Note: The next update to IE10 will use a more specific error message here; this string was designed for developers of Metro-style applications, not for folks debugging in EPM in IE.

To resolve this issue, you can either use a non-dotted hostname for your router (e.g. my DNS points http://router to 192.168.1.1) or you can manually add the router’s address to your Trusted Sites zone using the Tools > Internet Options > Security | Trusted | Sites... list. When navigating to Trusted Sites, the navigation occurs outside of Protected Mode, so AppContainer restrictions are not a problem.

There’s a non-obvious subtlety here which bears mentioning. When I personally tried to reproduce this restriction at home, I had no problem in navigating straight to the router’s IP Address in both Metro and Desktop IE with EPM enabled:

EPMOff

What’s up with that?

The explanation is that the AppContainer network restrictions are sensitive to your network configuration. When I had originally connected to my router, I had selected the following configuration:

MarkPublic

As a result, the Windows Firewall considered my router part of a public network:

LinkSysIsPub

…and thus AppContainers are freely able to contact the 192.168.1.1 address as I had indicated that I was on a “Public Network” and thus the privateNetworkClientServer capability is not required to contact local / non-routable addresses like 192.168.1.1.

I can enable the network restriction by reconfiguring my network settings. First, I use the sidebar's context menu to tell Windows to “forget” my Linksys connection. Then, I re-established it as a “home” network:

MarkPrivate

This causes the Windows Firewall consider this a “Private network”:

LinksysPriv

 

...and subsequently block connections to "local" addresses from AppContainers that lack the privateNetworkClientServer capability.

AppContainer – Isolation of Cookies and Cache

AppContainers do not have read or write access to files outside of their container, which means that the cache, cookies, and other web-platform state information is not shared between different AppContainers and the rest of the system. This means, for instance, that if you have a Windows Web App (a Metro-style app written in HTML+JavaScript), that application will not share cookies or cache files with Internet Explorer. Similarly, Metro-style apps will not share cookies and cache with one another.

This “partitioning” can be great for security and privacy, because it means that your use of one application isn’t visible to another. For instance, if you log into your Banking App, the banking app’s cache, cookies, and credentials aren’t available to be stolen from pages you browse in Metro-style Internet Explorer, even if a vulnerability was discovered that allowed an attacker to run arbitrary native code in the AppContainer.

However, partitioning can lead to unexpected behaviors. I describe some of these in a previous post called Beware Cookie Sharing in Cross-Zone Scenarios. In that post, I observed that even in IE7 to IE9, there exists a partition between sites that run in Medium Integrity vs. those that run in Protected Mode, such that cookies are not shared between those modes. That can lead to problems when a site in one zone frames another, since the sandbox in which all frames in a page run is determined by the top-level page’s Zone.

In Windows 8, the existing Medium IL / Low IL partition remains, and a new EPM AppContainer partition is added as well. It’s now possible for a user to have three independent copies of a cookie for a single site in IE (not even counting other non-IE Metro Apps). For instance, if www.example.com tries to set a cookie when it’s the subframe of an Intranet top-level page, that cookie will go in the MediumIL cookie jar. If the user then visits www.example.com in Metro-style IE, the cookie will be set in the EPM’s AppContainer cookie jar. Then, if the user visits www.example.com in Desktop IE, the cookie will be set in the LowIL cookie jar. These three cookies are independent, and changes or deletions of the cookie in one partition will not be seen in the other partitions. If the user "logs out" in one mode of the browser (which deletes the cookie) the other modes of the browser will remain "logged in" (since their cookies are isolated). Sites that need to securely log a user out across all browser modes should continue to expire the session on the server, rather than only relying on the client to stop sending a given cookie.

To be explicit, the following data stores are partitioned between Internet Zone content running in Metro-style IE (in EPM) and Desktop IE (in LowIL):

In contrast, Local Intranet Zone and Trusted Zone pages run in Medium IL in both Metro-style IE and Desktop IE, and thus these Zones' data stores are shared between both browser modes.

Cookie Pushing

One exception exists to the partitioning behavior described above. When you use the View on the Desktop command in Metro-style IE, it will "push" the current tab’s session cookies into the new Desktop IE instance that opens. However, this only applies to session cookies and not persistent cookies.

You can see how this works by following these steps:

  1. Clear all cookies using Delete Browser History
  2. Visit www.facebook.com in Metro-style IE
  3. Log in with the Keep me logged in box unchecked on the Facebook site
  4. Facebook will send you a session cookie containing your credentials.
  5. Invoke the View on the Desktop command

At this point, you should find that Desktop IE shows your default post-logon Facebook page (e.g. your Wall)-- you're still logged in.

Now close your browsers and repeat these steps, except at step #3, check the Keep me logged in option. At Step #4, Facebook will send you a persistent cookie with your credentials. When you switch to Desktop IE at step #5, you will find that you are not logged in to Facebook, because the persistent cookie set by Facebook isn’t pushed to Desktop IE.

You will further notice that if you enable Enhanced Protected Mode for Desktop IE, when switching from Metro IE to Desktop IE you will remain logged into Facebook in Desktop, because MetroIE in EPM shares cookies with DesktopIE in EPM since they are both running in the same AppContainer.

Add-ons in Enhanced Protected Mode

Metro-style Internet Explorer does not load add-ons, so there are no AppContainer considerations to worry about in MetroIE.

In contrast, most users expect add-ons to work in Desktop IE, but very few add-ons are AppContainer-compatible today. If you enable EPM in the desktop and have a BHO or Toolbar that isn’t EPM compatible, the add-on will be disabled:

BingBar

If you visit a page that requires an ActiveX control which is not EPM-compatible, you’ll be provided the opportunity to load the page in a special “Low IL Compat” tab that runs the page at 32bits in LowIL instead of in an 64-bit AppContainer:

Notification message which reads “This webpage wants to run 'Adobe Flash Player 10.3 d162'. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control.” The notication bar contains one button labeled “Disable”.

In order to be EPM-compatible, Toolbars and BHOs must be available in 32bit and 64bit flavors, to avoid toolbars or other UI appearing and disappearing as you navigate between zones that run at different bitnesses. To load in EPM on Windows 8, the add-on must also indicate that it is compatible with the AppContainer isolation feature by registering with a COM Component Category that indicates that the component was designed and tested to ensure it runs correctly in the no-read-up process.

The category is named CATID_AppContainerCompatible and its GUID is {59fb2056-d625-48d0-a944-1a85b5ab2640}. C++ programmers may use:

  DEFINE_GUID(CATID_AppContainerCompatible, 0x59fb2056,0xd625,0x48d0,0xa9,0x44,0x1a,0x85,0xb5,0xab,0x26,0x40);

Any non-trivial add-on is likely to find that it needs access to resources that are not available from within an AppContainer. The way to security provide such access is to build a broker object that runs at Medium IL. In Vista and later, brokers were needed to write protected resources, and in EPM, they are required to read protected resources.  The general pattern is:

  1. Untrusted code (the add-on running in the Protected Mode tab) calls a method in the broker, passing zero or more arguments.
  2. The broker evaluates the request's arguments and its own security policy.
  3. The broker confirms with the user that the requested operation is acceptable (e.g. by showing a Save prompt or whatever).
  4. The broker undertakes the operation if allowed, or blocks it if denied.

Writing a broker is a significant undertaking, and requires a thorough security audit to ensure that the broker doesn’t allow malicious code to escape from the tab running in Protected Mode.

12/20/2013 UPDATE: The IE team has published documentation on writing EPM-Compatible extensions on MSDN.

-Eric

PS: Please see this post for discussion of the impact of EPM on loading of local files that contain a Mark-of-the-Web.

Comments (53)

  1. KS says:

    Why not add non-routable addresses, especially 192.168.0.0/23 for most used c-nets, to Trusted Sites by default?

  2. EricLaw [MSFT] says:

    @KS: That presumes that you actually Trust *all* such sites, which isn't always a safe assumption to make and represents an interesting attack surface.

  3. Rob^_^ says:

    thx… well written, easy on the brain with praticle tips for web app devs.

  4. Lionel says:

    Thank you very much for posting this.  The IEblog post was welcome, but seriously lacking in such details.  Now I understand much better what enhanced protected mode is (and I like it).

    Regarding Fiddler, would it be possible to use "localhost" rather than "127.0.0.1" for the proxy address, since it seems that this would work around the "no loopback" limitation?

    Also, what is the rationale behind this "no loopback" limitation in Metro?

  5. Robert says:

    @Eric: Is CATID_AppContainerCompatible supposed to work with IE10.0.8250 from the Consumer Preview?

    I tried

    CATID catids[] = { CATID_AppContainerCompatible };

    hr = pICatRegister->RegisterClassImplCategories(CLSID_BrowserHelperObject, COUNTOF(catids), catids);

    but the BHO is still not loaded. The "not compatible" warning disappeared though…

    Is there anything else one has to do to get loaded into an AppContainer?

  6. @Robert: Yes, the component category should work for the Consumer Preview. Did you ensure that you're registering both your 32bit and your 64bit BHOs?

    @Lionel: The article I wrote that has the download for the Enable Loopback tool has a bit more detail, but the gist of it is that using 127.0.0.1 for Inter-process-communication (IPC) from a sandbox to untrusted code has been a HUGE source of vulnerabilities on platforms like Android and the like. Switching a proxy to use "localhost" rather than "127.0.0.1" doesn't help vis-a-vis the loopback protections, because the loopback protections block ALL addresses for the local computer. The reason that using the different hostname works when connecting to a webserver in Metro IE is that when using a non-dotted hostname that goes into the Intranet zone, IE runs that tab outside of the AppContainer. But that's based on the target page's hostname, not the *proxy* address.

  7. @Robert: If you have a simple repro, feel free to email it to me using the "Email blog author" link at the top-right.

  8. xpclient says:

    Why aren't 64-bit content processes available to users without Enhanced Protected Mode? Didn't Microsoft think such an option would be desirable to IE users on Windows 8? I use IE COM addons and ActiveX controls which are 64-bit but which are never likely to be updated for EPM, so the compromise I have to make is to forego 64-bit content processes. I thought Windows 8 and IE was supposed to be "no compromises experience". Hope this changes for RC or RTM.

  9. ChrisTX says:

    If I pressed the 'disable' button for an ActiveX control (Flash in this case) on a website, is there a way to remove that trust or even to manage the list of sites that have permission to not to run in EPM directly?

  10. @ChrisTX: There's no direct management UI for EPM exceptions. When you delete your browser history (Ctrl+Shift+Del, History option) then the EPM-exception list is cleared.

  11. Ralf says:

    Where can I find more information about AppContainers? How can an AppContainer communicate with a broker if its objects are isolated in the session?

  12. @Ralf: There's one link in the section on Brokers at the end of this post. That link takes you to the whitepaper on how brokers are written, and how Protected Mode extensions communicate with those brokers. Thx!

  13. Ralf says:

    @Eric: Thanks for the reply (and the great article!). I already have a broker written for IE9, and now in IE10 EPM my objects (mutex, etc.) are created in the namespace "Sessions1AppContainerNamedObjectsS-1-15-2-14304…" and the broker does not see them. How can I create object in the Local session, i.e. Sessions1BaseNamedObjects…?

  14. Radek says:

    FOLDERID_LocalAppDataLow returns different path than LocalLow, something like C:Users<user>AppDataLocalPackageswindows_ie_ac_001AC

    It looks that even LocalLow is now "protected" and funny is that you can got different folder for different tabs. Microsoft know how to make developer happy 🙁

    Did somebody found list of "protected resources" in EPM ?

  15. XXX says:

    Great article! Do you know where the Metro-style IE saves the cookies?

  16. EricLaw [MSFT] says:

    Q: If I use the notification bar to exempt a site from Enhanced Protected Mode, how can I later clear that exemption?

    A: Use the Delete Browser History item and check the "History" checkbox.

  17. Magesh says:

    I cannot upload images from my F/G/H drives of my hard disk (E being the CD ROM drive) using IE10. Ex: Facebook. I can do the same without any problem using Chrome.I am not a tech guy, but I can see that something is wrong somewhere with IE10.I have tried everything including resetting IE10 but this problem persists.

    EricLaw: Are you seeing this problem in Metro-style IE, or Desktop IE? What exactly happens? What is the simplest site this occurs on? Do you have this problem using the first upload box at http://www.debugtheweb.com/sandbox/FileForm.asp

  18. Magesh says:

    @Eric.

    1. Simplest site: Facebook.

    2. On my own website.

    On both I am able to access all partitions and images from Google Chrome.

    On Desktop as well as Metro.

    It says "This Briefcase cannot be opened because the disk in inaccessible. Verify that the disk is accessible."

    The same briefcase from the same location works fine on Chrome.

    The same brief case when copied-pasted on to Desktop works fine on IE10.

    Yes. I have the same problem in the fileform you have given as well.

    Thanks.

  19. Magesh says:

    @Eric.

    I solved it.

    For some reason, IE10 was NOT reading from files saved in 'Briefcases' (which I had moved from my previous laptop which ran on W7HP).

    I deleted all Briefcases and made them into 'normal' folders. And I can now access and upload.

    Thanks guys.

  20. Robert says:

    Hello, How to find whether the add-on is running in EPM? For an ordinary PM there is IEIsProtectedModeProcess, but I cannot find anything like that for EPM.

    EricLaw: Great question. As far as I know, there's no public API that permits detecting that you're running in EPM, although it's probably possible to use one of the AppContainer APIs or Windows Security Token APIs to detect this case.

  21. why 32bit IE 10 process exited immediately after starting ? says:

    Another question, see the codes below, isExited == True immediately after browserProcess.Start(), after checking process in Task Manager, the 32bit IE seems still run. I am not sure why the 32Bit IE process exited. Could you give me help on this answer ? Thank you so much. Running on OS: 64bit Win2012

    Process browserProcess = new Process();
    browserProcess.StartInfo.FileName = @"C:Program Files (x86)Internet Exploreriexplore.exe";
    browserProcess.Start();
    bool isExited = browserProcess.HasExited;

    EricLaw: If you launch the 32bit IExplore.exe directly, it immediately launches a 64bit frame process and then shuts the 32bit instance of itself down. That 64bit frame process may itself then launch a 32bit content process, but that content process has no relationship to the original 32bit instance that kicked off the 64bit frame process.

  22. Paul Haffner says:

    Hi Eric,

    I am trying to get a webpage to connect to a websocket server running on the local machine (for test purposes only at this stage). The server isn't hosted by IIS, it's a dedicated .NET app listening on a non-standard (for HTTP) port. The javascript constructor for the websocket is of the form New WebSocket("ws://machinename:8090"). This works great in desktop IE10 but fails miserably when the page is loaded into IE10 Metro. I tried making the machinename a trusted site, but it didn't help. Is the problem going to be down to IE10's zoning of the URI resulting in the websocket call being firewalled?

    Thanks.

    EricLaw: Yes, that is likely it. See http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx for my utility to workaround that limitation. (If you want to go the Trusted route, the key is that the Trusted site needs to be the page's host not the target websocket host.

  23. Paul Haffner says:

    Brilliant! The trusted route is all I need at this stage. As you say, the key is to trust the page host rather than the websocket host. Everything works now, so thank you very much Eric.

  24. manjunath says:

    Hi can any one tell me  Switch Between 32-bit and 64-bit Internet Explorer 10 in Windows 7  is also possible like windows 8 or not ?? i.e in order to enable 64bit Content Processes for the Desktop we will enable "Enhanced Protect Mode" in IE10 windows 8. . is it the same case in Windows 7 ??

    EricLaw: In IE10 on Windows7, the "Enhanced Protect Mode" checkbox controls only whether IE runs in 64bit. In IE9, 64bit IE is a separate program in the Start Menu.

  25. Thilo says:

    We blocked the x64 IE9 with AppLocker (Program Files path). Users should run only x86 version of IE. But with IE10: blocking the x64 path with prevents startup of x86 IE! How to handle this?

    EricLaw: That rule definitely shouldn't be used with IE10, as IE10 requires processes of both bitnesses for its normal function. You can use Zones to control what bitness processes are used for sites.

  26. tommcg1@hotmail.com says:

    On Win7-64 with IE10 I want to enable EPM and use 64-bit browser processes for everything, EXCEPT for a few sites that require a 32-bit IE for a 32-bit-only add-on.  With IE9 I could create a shortcut to ProgFilesX86IEiexplore.exe with a URL to get a 32-bit browser instance.  But with IE10 and EPM, that shortcut now produces a 64-bit browser process so the 32-bit add-on fails.

    How can I leave EPM enabled by default for 99% of browsing and create a shortcut or link to launch a 32-bit browser instance or somehow tag a site to use a 32-bit browser instance?

    Thx.

  27. breca89 says:

    This part seems especially important for those enterprise customers that have transparent proxy server through which outbound traffic flows:

    Notably, the container does not specify internetClientServer, privateNetworkClientServer, enterpriseAuthentication, or any of the *Library capabilities, which means that Internet content runs in a tightly-limited process.

    I'm seeing authentication requests fail when the site is running in an AppContainer tab. If I add the site to IE Trusted Sites zone, the site runs at Medium level, and the transparent authentication works.  It seems that AppContainer is preventing the passing of network credentials to the proxy server.  For corporate customers, what is the way around this?  Is it possible to enable the enterpriseAuthentication capability for IE10 when running in the AppContainer?  

  28. breca89 says:

    Thilo, it looks like you will need to ensure that Enhanced Protected Mode is always OFF for the desktop version of IE10.  This will ensure that tabs run at 32-bit.  Tommcg1, if it's only a few sites, you can add them to IE Trusted Sites through Group Policy, and they will run at 32-bit, while all other sites continue to use EPM and run at 64-bit.  Adding to Trusted Sites will turn Protected Mode OFF, so be aware of that.  

  29. breca89 says:

    Thilo, you can use Group Policy to disable Enhanced Protected Mode — forgot to add that.  

  30. tommcg1@hotmail.com says:

    Thanks, breca89, for the suggestion.  However, with EPM globally enabled and tagging the site "trusted" (medium security and protection disabled) still does not result in a 32-bit IE process running when navigate to that site.

    If launch IE on about:blank with EPM enabled, it is a 64-bit process. Just typing the address of the trusted site in address bar or choosing link from favorites does not result in a new 32-bit iexplore.exe process — it just loads the site in the 64-bit content process that the browser window runs within.  

    And launching iexplore.exe from ProgFilesX86 still results in a 64-bit IE.

    With EPM enabled, a desktop URL shortcut to trusted site still results in 64-bit IE.

    Open link in new window still results in 64-bit IE.

    Even setting trusted sites to lowest security level still results in 64-bit IE.

    Still can't figure out how to get a 32-bit IE to load for only a specific site or link or shortcut while leaving EPM enabled globally.  

    This is Win7-64 IE10 with tabs disabled.

    Thx.

  31. breca89 says:

    Tommcg1, I think the issue is that tabs are disabled.  If you run Process Explorer, and add the Integrity and Image Type columns, you can see the bitness of the IE processes and which integrity level they are running at.  My guess is that because tabs are disabled, IE now will only run at 64-bit — I will run a test myself to see if it jives with what you are seeing.  In my testing so far, I have EPM enabled and tabs enabled, and I can list a specific site in IE Trusted Sites and it will run in 32-bit mode.  

  32. breca89 says:

    Tommcg1, actually, I turned off tabs, and I'm still able to run 32-bit IE process with EPM enabled — if I view a Trusted Site in IE.  I am running Win8 64-bit, so slightly different than you.  Another difference is that you may have EPM enabled through group policy, and I am just using IE options to enable it.  I will test enabling it thru group policy.

  33. breca89 says:

    I set EPM with local group policy, and disabled tabs.  I still see a 32-bit IE process when browsing to a Trusted Site.  All other zones run in 64-bit mode (and since this is Win8, they run at the AppContainer integrity level).

  34. tommcg1@hotmail.com says:

    breca89, thanks for trying to solve my problem.  A little more research and info.  The problem does not seem to be related to whether tabs are enabled or not.  If I add "cnn.com" to trusted sites, browsing to cnn.com does indeed always load in a 32-bit IE process (with or without tabs enabled).  The particular site I'm having problems with is "battlelog.battlefield.com" which requires a 32-bit add-on.  Even with this site in trusted sites, if EPM is enabled it comes up in 64-bit IE process.  Strangely, if while on this site if I try to go to trusted sites dialog to add it, the "add this website" text box is initially blank, unlike other websites like cnn.com or microsoft.com that provide the initial current site text in the box, so I have to cut-and-paste or type it manually.  Perhaps somehow the site's URL is not communicating properly to the trusted sites list lookup mechanism internally.  I'm curious how this site behaves from your Win8 browser with EPM enabled and this site set in trusted sites.  Again, I'm on Win7-64 with IE10. Thanks again for your effort in helping me figure out this problem.

  35. Sharon says:

    Is possible to run the Metro-Style IE 10 in Windows 8 in 32 bit mode?

    EricLaw: I don't think so. You could try putting the site in the Trusted Zone, but I don't think that helps in the Metro case. Why would you want to do this?

  36. Jonas says:

    Nice sharing. Is there any similar API (IEGetProtectedModeCookie) can access to EPM cookie? Thanks.

    [EricLaw] Unfortunately, no, this API didn't make it for IE10 and I haven't heard any indication that it exists for IE11 either. You may want to file a bug on the IE CONNECT site.

  37. Samarth Gupta says:

    I'm trying to build a plugin for IE. I've completed it for both 32-bit and 64-bit and it's working on IE9 (both 32 and 64 bit). But when I use it on IE10 with EPM on, it's not loading. I've used "DEFINE_GUID(CATID_AppContainerCompatible, 0x59fb2056,0xd625,0x48d0,0xa9,0x44,0x1a,0x85,0xb5,0xab,0x26,0x40);"

    in my plugin to register it to CATID_AppContainerCompatible, but it's still not loading.. Am I doing something wrong?

    EricLaw: You need to store the .DLLs in an AppContainer-readable folder like the Program Files folder.

  38. JM says:

    On 64 bit Win8.1 with IE11. I have tool-bars at C:Program Files (x86) for 32 bit version and C:Program Files for 64 bit version. pICatRegister->RegisterClassImplCategories(CLSID_StockBar, 1, catids) succeeded but no "Implemented Categories" created. I manually create Implemented Categories/{59fb2056-d625-48d0-a944-1a85b5ab2640} and the incompatible warning does not show up. However the toolbar still now showing. What else I could miss. Thanks.

    EricLaw: You need to register your toolbar in the COM registry before attempting to register its categories using the category manager.

  39. Nich says:

    I've just upgraded IE to 10 on 64-bit Windows 7, and I cannot make it run anything in 32 bit mode.

    I've ensured that the protected mode is unchecked in the Settings/Advanced tab, and also in the Security tab, rebooted the computer completely, but the only process that ever appears is iexplore.exe, never iexplore.exe *32 and my 32-bit ActiveX components will not load!

    From everything I've read, this shouldn't be possible, as without the protected mode box checked, everything should run in 32-bit Content Processes.

    Am I missing something?

  40. MartinM says:

    Is it possible in EMP to open a shared mutex (between a BHO and a broker process) by lowering the mutex rights via (ConvertStringSecurityDescriptorToSecurityDescriptorW, …, SetSecurityInfo)?  This is currently working fine for Protected Mode a scenario.

    EricLaw: While I'm not an expert on the specifics, yes, I expect you can communicate in this way if the privileged process ACLs the shared resource properly.

  41. Alex says:

    BHO in EPM is located in Program FilesBHO, and it can read files from any folder under Program Files,

    but why it cannot read from files under AppDataLocalLow?

  42. @Alex: If you see the comment on this post from "Radek" made on Wed, Jul 11 2012 2:56 AM, you'll find that the ACL for the LocalLow folder is indeed "Low Integrity"; AppContainers have an even *lower* level of privilege than the Vista-era "Low Integrity". If you want to read out of an AppContainer, you need a broker.

  43. Alex says:

    @Eric: In IE10 with EPM on Windows 8, BHO is loaded, but it is not loaded in IE10 with EPM on Windows 7.

    What could be a difference?

  44. James says:

    Let me get this right – you cannot manipulate cookies within the current window using an add-on i.e. by using Wininet?

    [EricLaw] If your code is running in the same process as the HTML content (e.g. a typical BHO or ActiveX control) then your WinINET API calls will be operating against the correct AppContainer data stores. If your code was running in a different process (e.g. a standalone executable, or an out-of-process broker) then your WinINET calls would typically be running against the non-AppContainer data stores that are not used by the EPM-tab process.

  45. Motti says:

    You say: Writing a broker is a significant undertaking, and requires a thorough security audit to ensure that the broker doesn't allow malicious code to escape from the tab running in Protected Mode.

    Does this mean that every broker must be audited and certified by Microsoft or is this general guidance to broker developers to take heed to the security issues?

    [EricLaw]: Microsoft doesn't offer or require auditing/certification of brokers. That's especially unfortunate because they are so often a source of sandbox-escape exploits. Microsoft merely reserves the right to disable 3rd-party brokers if they're found to be vulnerable; it does not (currently) proactively pen-test brokers.

  46. Ehsan Samani says:

    Eric, Thank for you the Article. I have been creating a new BHO from scratch. I am trying to log some simple things (think debug logging) to disk. When I was running IE10, IE Tab Process Visualization was putting my log file (text file)in someplace like C:UsersusernameAppDataLocalMicrosoftWindowsTemporary Internet FilesVirtualized.  Ever Since I installed IE11 and made my BHO Protection Mode all Write Requests from BHO are Failing. Simple Question: Where can I place my BHO log file?

  47. @Ehsan: Your BHO needs to write to a folder which is ACL'd to allow access to processes running within an AppContainer. Unlike virtualization done for PM, I don't know that there's any default-writable folder for EPM processes.

  48. Ehsan Samani says:

    Thanks Eric, so essentially an application installer must modify the ACL for the BHO to have write access to a certain folder. I am gone try logging to EvenLog and see if that still works.

  49. Ehsan Samani says:

    Eric, Thank you for responding to our question even though you have left Microsoft. I was wondering if there is any way for a BHO to Event Sink (catch) a script executing. that is either before script executes or after it executes. I know of DISPID_BEFORESCRIPTEXECUTE which can be caught before DISPID_DOWNLOADCOMPLETE event fires up. but once the document is ready. scripts these days continue to execute for instance I might have a jquery timer like below that runs periodically. It does not seem the script executing causes any element,document or browser events.

    $(document).ready(function () { setInterval(function (){ /* do something */ }, 1000)});

  50. Mark Pahulje says:

    Superb article Eric, this is the kind of detail developers need. Is there any way to force running IE x32?

    [EricLaw] I don't think I really understand the premise of the question. The option Tools > Internet Options > Advanced Use 64-bit Processes for Enhanced Protected Mode controls whether IE on the Desktop uses 64bit Tab processes. You can't use a 32bit frame process except on a 32bit machine.

  51. theking2 says:

    CheckNetIsolation.exe offers a command line version of EricLaw's EnableLoopback utility:

    To list exempts:

       CheckNetIsolation LoopbackExempt -s

    To create an exempt for ie:

       CheckNetIsolation LoopbackExempt -a -n=windows_ie_ac_001

  52. Christopher Yeleighton says:

    I do not seem to have the option Use 64-bit Processes for Enhanced Protected Mode.

    Is there a way to load trusted sites in 64-bit mode on the desktop without disabling tab processes altogether?

  53. notTechSavvyButTrying2LearnSomething says:

    Does EPM have anything to do with why the different Zones' 'custom options' settings do not work (ie; pop-up blocker [mixed content], Smartscreen filter, XSS filter, etc.) with it turned ON?  (or, in some cases, even if it is Off – depending on the page – I still have to manually over-ride/allow 'all contents to be displayed', even if the site/page is in my Trusted list or Intranet list… which each have their own custom settings for popup blocker, smartscreen ActiveX, XSS filter, "Safe" & "UN-Safe" Programs,Apps)…?

    [EricLaw] No, enabling EPM should not have any real impact on your other security zone settings. Each zone should still respect its own section.

     

Skip to main content