The ActiveX Installer Service

Hi, I’m Chris Corio, a Program Manager on the User Account Control team. As I’m sure you’ve guessed by now, we’re hard at work providing a great experience for standard users in Windows Vista.  I’m happy to announce a brand new feature that we’ve added to Windows Vista – the ActiveX Installer Service.

Our Technical Adoption Program (TAP) participants testing Windows Vista require that a variety of ActiveX controls are installed to conduct day-to-day business within their enterprise and with their partners.  These ActiveX controls were being updated regularly, and the corporations couldn’t package and deploy them to their users quickly enough.  As we looked at the problem more closely, we realized we needed to provide a way for enterprises to delegate the installation of ActiveX controls for standard users.  The ActiveX Installer Service was the resultant solution that the UAC team created for this problem. With this service, Microsoft will be providing a Group Policy driven mechanism that lets IT professionals define the Host URLs from which standard users can install ActiveX controls.

The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and a few changes in Internet Explorer.  It will be an optional component on the Ultimate, Business, and Enterprise SKUs of Windows Vista and will only be enabled on clients where it’s installed.  If a user is running as a standard user and the feature is enabled, Internet Explorer will ask the service to install any ActiveX controls that need to be installed.  Before installing the ActiveX control, the Installer service will check to see if the Host URL of the CODEBASE is defined and listed in Group Policy and if it is allowed.  If the service policy permits the install of the ActiveX control, then the service will create an instance of the Internet Explorer ActiveX installer object to be used to install the control.  If Group Policy did not specify that the ActiveX control was allowed to install, then the default Windows Vista behavior is resumed: a Consent\Credential prompt is required to install an ActiveX control. 

For now, the service is designed to install Internet Component Download packaged controls – this means that an ActiveX control must be a .cab, .dll, or .ocx.  Following Windows Vista, this solution will probably be married with MSI, enabling MSIs installations based on similar policy.

If you’re at TechEd, look for demos of the ActiveX Installer Service all week. Ben Fathi’s Security Keynote speech also included a demo of the feature–Alex Heaton demonstrated ActiveX control installation for a standard user by using a simple business-to-business ActiveX control in an enterprise.  Steve Hiskey, our fearless Lead PM, will also be giving a demo of the service and a look at how to configure the policy–or you can just stop by the UAC booth in the Windows Vista area for a personal demo.

The ActiveX Installer Service is scheduled to be in the next public release of Windows Vista – RC1.  We will be providing more details on the service and how to define policy for it in the next couple weeks.  As you move to running as a standard user, this will definitely be something you’ll want to look into!! 

As always, we welcome your feedback about the service and we’ll try our best to answer your questions in a timely manner. 


Comments (25)

  1. Spotted this on the UAC blog:The ActiveX Installer Service

    As many IT Pro’s know the ActiveX…

  2. Gordon Fecyk says:

    EEK!  Isn’t this just a new excuse for the designers of said ActiveX controls to keep on releasing patches without thought of testing them before the fact?

    I have to deal with WebEx Communications multiple times a month because they keep updating one of their controls and conferences stop working when they deploy an update.

    I hope there’s a way to disable these new installation capabilities for limited users.  The last thing I want to learn is that someone’s falsified WebEx’s certificate and is pushing malware under my nose.  Or that WebEx released an update with a bug that results in privilege escalation.

    I’d rather install tested and working code, and not have to worry about updating every single little control every single day because developers don’t bother testing them before they release them.

  3. Bill D. says:

    Control is disabled and manged via Group Policy so I would think you could manage the installer capability by on a user/OU/domain level.

    Code developed internally is subject to internal controls and QA procedures, therefore IT has input into the release freqency and can directly affect code integrity.  This service is a neccassary evil, in my opinion, because there are many vendors that release new controls on a frequent basis of which the IT admins have no control.  This service will potentially save IT depts. where it counts; their budgets.


  4. Gordon Fecyk says:

    "there are many vendors that release new controls on a frequent basis of which the IT admins have no control."

    No control?  I’ve had full control over this since 2003 when my first major client decided to upgrade to Win2K.  The only reason other IT admins don’t have control is they don’t bother to sieze it.

    The only really frequent updater I’ve really encountered after 11 years of IT experience is WebEx Communications.  Of the others, for example Macromedia, content and services are tolerant of varying versions of said controls.  Every new release represents untrusted, unknown, untested code to the eyes of the IT admin, who gets blamed when the new version of "x" doesn’t work exactly the same as the old version.

    My solution to WebEx and other frequently updated controls is to stop using them.  Callinfo and Gotomeeting come to mind as replacements.  Nothing works like healthy competition to encourage better design.

  5. ActiveX Installer サービス – Windows Installer

  6. ActiveX Installer サービス – Windows Installer

  7. David Hopwood says:

    Is the control only installed for the current user? It’s a bad idea to allow standard users to install a control for the whole machine, even if it is supposedly from a "trusted" codebase. (Conversely, if the control is only being installed for the current user, I don’t see the need for this feature.)

    # Before installing the ActiveX control, the

    # Installer service will check to see if the

    # Host URL of the CODEBASE is defined and

    # listed in Group Policy and if it is allowed.  

    Since when was the codebase URL a secure way to determine which controls are allowed (if it is not https)?

  8. Eugene K says:

    So if the system has malicious DNS set up, the *safe* URLs can be resolved to any malware site?

  9. Gordon Fecyk:  Take a look at LiveMeeting.  It *used* to use an ActiveX control, and it drove me nuts because I could never use it without MakeMeAdmin.  They switched to a better model, and it works great now for the non-admin, after the LiveMeeting client has been installed.  Installation of the LM client requires admin, but all further use works great for the non-admin.

  10. Gordon Fecyk says:

    Thanks for the heads-up.  Additional alternatives to WebEx are gladly welcome!

    Being an ActiveX control isn’t really a design problem if it works with Limited accounts.  So I update Flash Player and a bunch of other controls before rolling out a new disk image for a client, no problem.  Being an ActiveX control that frequently changes, on the other hand, makes me pull my hair out.

    Including an installation service for lazy developers who don’t test their controls just encourages more bad design.

    Even if WebEx provided a working Windows Installer package I could deploy through Group Policy, that’s better than logging on manually to 50+ PCs.

  11. leesoft says:


    I was trying to perform some task requiring administrator right in my activeX control (launching from IE7), for example, communicate with a local NT service by memeory mapping file, execute a shell command, and so on. But the control will not work under UAC unless I launch IE7 using "Run as an administrator".

    I searched arround and found that there should be a way to do so via CoCreateAsAdmin(), could you provide me more detail on that.

    Thanks very much.

  12. It seems like in the latest builds of Windows Vista it is possible to install the ActiveX Installer Service but configuring the administrative template in the Group Policy Object editor does nothing. Is Internet Explorer 7+ the problem? I mean does it need a newer build of IE to work?

  13. windowsvistasecurity says:

    1) You need to be a standard user (not admin) for it to work

    2) confirm that the activex installer service is running

  14. tish says:

    I went to add pictures to my msn community and a pop up came up that said the following..

    "Internet Explorer has blocked this site from using an ActiveX control in an unsafe manner. As a result this page may not display correctly.

    How do I fix this problem so I can put my pictures in my album???

  15. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  16. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  17. skyler says:

    i cant load on my cpu and i’m upset

  18. UACBlog says:

    This is Joel Yoker, Senior Consultant, and Rob Campbell, Technical Solutions Specialist, from the Microsoft…

  19. Yesterday we had Cyra Richardson – Lead Program Manager on the Internet Explorer team - in…

  20. Honjo says:

    We want to install our ActiveX without IE7 and UAC dialog on Vista basic.

  21. osexp2000 says:

    Hi, I have been experienced LUA for a long time since win2K. Of course the ActiveX in IE is a big problem. ActiveX Installer is good, thank you very much, but:

    1. Why not provide a option to "install the ActiveX use non-Admin just for current user( by File/Reg virtualization)" ? I think many users need it.

        Theorotically, we do not need install flash.ocx by Admin. And after UAC, downloading is taken in admin context, this is not a good choice.

    2. Another option I want is that "just download, check signature, prompt Save or Install or Cancel?"

  22. Abuwi Shakur says:

    I am trying to activate or install ActiveX. I need activex to install symantec for additional security on my computer.