File Virtualization in IE7+ Protected Mode breaking my ActiveX Con

http://msdn.microsoft.com/ie/default...tectedMode.asp


Q: Does UAP file and registry Virtualization apply to Protected Mode?

A: No, UAP Virtualization does not apply to Protected Mode and, therefore,
write access to Protected Mode extensions that write to sensitive areas will
not be redirected.

Protected Mode also does not have write access to the redirected or virtual
store for system areas. Extensions running in Protected Mode get an Access
Denied error when they attempt to write to sensitive system areas.

Q: Are there specific locations in the USER PROFILE or HKEY_CURRENT_USER
registry location that an extension in Protected Mode Internet Explorer can
not write to?

A: Yes, Internet Explorer-specific locations in the following USER PROFILE
folders or HKEY_CURRENT_USER registry locations will return an Access Denied
error:

Documents and Settings\%USER PROFILE%...
....\Local Settings\Temporary Internet Files
....\Local Settings\Temp
....\Local Settings\History
....\%USER PROFILE%\Favorites
....\%USER PROFILE%\Cookies

HKCU\Software\...
....\Classes
....\Microsoft\Windows
....\Microsoft\Internet Explorer

Furthermore, extensions that attempt to gain write access to securable
objects by using an API function in one of the following binaries will
receive Access Denied errors.


Internet Explorer binaries
BrowseUI.dll IEFrame.dll MsHtmlEd.dll ShDocVw.dll
DxtMsft.dll InetCpl.dll MsTime.dll UrlMon.dll
DxTrans.dll MsHtml.dll Peers.dll WinInet.dll
Other Binaries
AdvApi.dll CorPol.dll NtDll.dll WinTrust.dll
ComCtl32.dll Crypt32.dll SChannel.dll
ComDlg32.dll Kernel32.dll Secure32.dll

Josh
http://windowsconnected.com


"Josh" <josh@nospam.windowsconnected.com> wrote in message
news:E08331C0-351F-40CE-BC39-A822868F50AA@microsoft.com...

> Matthew,
>
> I would highly recommend you revaluate your use of ActiveX. It is a
> sunset technology that Microsoft is de-emphasising. It is also inherintly
> insecure and is trying to write to areas like C:\windows\downloaded
> program files that in the future users will be less likely to write too.
> This, if i am not mistaken, will also not qualify for "logo".
>
> anyway, Part of the "protected mode" IE is probably your problem. With
> Protected mode enabled you are restricted to writing to only the TIF
> (trusted internet files) folder. So your setup if probably failing to
> write to a location and is unable to handle the event. I also beive IE is
> compiled so as to not VERT (a manifest)
>
>
> Josh
> http://windowsconnected.com
>
>
>
> "Matthew Douglass" <MDouglassMCS@nospam.nospam> wrote in message
> news:949B5BC3-4EFD-421A-AFC3-AE6CC7031500@microsoft.com...

>> Hello,
>>
>> I have just started working with Beta 2 of Vista and have been trying to
>> fix
>> a problem I've found with the ActiveX control I'm developing that only
>> happens when running IE in Protected Mode and after some debugging, I
>> believe
>> is related to the file virtualization feature.
>>
>> A quick overview first -- we're a game company and the goal is to host
>> our
>> games in the web browser. We've got a control that downloads a cab file
>> containing the game, lets the user verify the signature on the game, then
>> extracts the CAB and runs the game contained within it.
>>
>> Under IE6 and IE7 on earlier platforms (XP, 2000, 98SE) this works just
>> fine, but under Vista I'm seeing two problems:
>>
>> 1) The verify signature dialog does display for the game, but it does not
>> display the publisher information (it shows as untrusted)
>> 2) About half of the cab extraction succeeds and then I get an error code
>> 3
>> (this is from SetupIterateCabinetA). I think it is possible this is
>> happening once the virtualized file names approach MAX_PATH, but that's
>> just
>> a guess so far.
>>
>> Turning off protected mode fixes both of these problems.
>>
>> I can give a link to the control if necessary, but I would prefer not to
>> post it on the newsgroup. Please contact me at <first initial last name
>> at
>> mind-control.com>
>>
>> Any help would be appreciated!
>>
>> Thanks,
>> Matthew Douglass
>> Mind Control Software, Inc.

>

Well if you've got another way I can host a DirectX-based game in the web
browser, please let me know -- I certainly wouldn't mind ditching ActiveX.

Anyway, I should have said this in my email, but my program is very careful
to only write to areas that it reasonably ought to have access to.
Specifically, only underneath CSIDL_APPDATA. And the writes are partially
successful -- about half the files written in that folder are able to be
extracted from the CAB before SetupIterateCabinetA fails with an error code 3.

--
Matthew Douglass
Mind Control Software, Inc.


"Josh" wrote:

> Matthew,
>
> I would highly recommend you revaluate your use of ActiveX. It is a sunset
> technology that Microsoft is de-emphasising. It is also inherintly insecure
> and is trying to write to areas like C:\windows\downloaded program files
> that in the future users will be less likely to write too. This, if i am
> not mistaken, will also not qualify for "logo".
>
> anyway, Part of the "protected mode" IE is probably your problem. With
> Protected mode enabled you are restricted to writing to only the TIF
> (trusted internet files) folder. So your setup if probably failing to write
> to a location and is unable to handle the event. I also beive IE is
> compiled so as to not VERT (a manifest)
>
>
> Josh
> http://windowsconnected.com
>
>
>
> "Matthew Douglass" <MDouglassMCS@nospam.nospam> wrote in message
> news:949B5BC3-4EFD-421A-AFC3-AE6CC7031500@microsoft.com...

> > Hello,
> >
> > I have just started working with Beta 2 of Vista and have been trying to
> > fix
> > a problem I've found with the ActiveX control I'm developing that only
> > happens when running IE in Protected Mode and after some debugging, I
> > believe
> > is related to the file virtualization feature.
> >
> > A quick overview first -- we're a game company and the goal is to host our
> > games in the web browser. We've got a control that downloads a cab file
> > containing the game, lets the user verify the signature on the game, then
> > extracts the CAB and runs the game contained within it.
> >
> > Under IE6 and IE7 on earlier platforms (XP, 2000, 98SE) this works just
> > fine, but under Vista I'm seeing two problems:
> >
> > 1) The verify signature dialog does display for the game, but it does not
> > display the publisher information (it shows as untrusted)
> > 2) About half of the cab extraction succeeds and then I get an error code
> > 3
> > (this is from SetupIterateCabinetA). I think it is possible this is
> > happening once the virtualized file names approach MAX_PATH, but that's
> > just
> > a guess so far.
> >
> > Turning off protected mode fixes both of these problems.
> >
> > I can give a link to the control if necessary, but I would prefer not to
> > post it on the newsgroup. Please contact me at <first initial last name
> > at
> > mind-control.com>
> >
> > Any help would be appreciated!
> >
> > Thanks,
> > Matthew Douglass
> > Mind Control Software, Inc.

>

I am not a coder, so can't give you a direct replacement, I have seen some
cool click once apps though...something to look into...

My recommendation would be to redo your setup as an MSI, that way you are
running as local system. You will lose the automation that ActiveX has
today on many systems, but you would lose that anyway as Microsoft
transitions to the more secure Windows Vista platform. Infact you will
probably end up with fewer prompts by going MSI.


Josh


"Matthew Douglass" <MDouglassMCS@nospam.nospam> wrote in message
news:E2C9F61E-EC31-413E-9567-C02C53E3C756@microsoft.com...

> Well if you've got another way I can host a DirectX-based game in the web
> browser, please let me know -- I certainly wouldn't mind ditching ActiveX.
>
> Anyway, I should have said this in my email, but my program is very
> careful
> to only write to areas that it reasonably ought to have access to.
> Specifically, only underneath CSIDL_APPDATA. And the writes are partially
> successful -- about half the files written in that folder are able to be
> extracted from the CAB before SetupIterateCabinetA fails with an error
> code 3.
>
> --
> Matthew Douglass
> Mind Control Software, Inc.
>
>
> "Josh" wrote:
>

>> Matthew,
>>
>> I would highly recommend you revaluate your use of ActiveX. It is a
>> sunset
>> technology that Microsoft is de-emphasising. It is also inherintly
>> insecure
>> and is trying to write to areas like C:\windows\downloaded program files
>> that in the future users will be less likely to write too. This, if i am
>> not mistaken, will also not qualify for "logo".
>>
>> anyway, Part of the "protected mode" IE is probably your problem. With
>> Protected mode enabled you are restricted to writing to only the TIF
>> (trusted internet files) folder. So your setup if probably failing to
>> write
>> to a location and is unable to handle the event. I also beive IE is
>> compiled so as to not VERT (a manifest)
>>
>>
>> Josh
>> http://windowsconnected.com
>>
>>
>>
>> "Matthew Douglass" <MDouglassMCS@nospam.nospam> wrote in message
>> news:949B5BC3-4EFD-421A-AFC3-AE6CC7031500@microsoft.com...

>> > Hello,
>> >
>> > I have just started working with Beta 2 of Vista and have been trying
>> > to
>> > fix
>> > a problem I've found with the ActiveX control I'm developing that only
>> > happens when running IE in Protected Mode and after some debugging, I
>> > believe
>> > is related to the file virtualization feature.
>> >
>> > A quick overview first -- we're a game company and the goal is to host
>> > our
>> > games in the web browser. We've got a control that downloads a cab
>> > file
>> > containing the game, lets the user verify the signature on the game,
>> > then
>> > extracts the CAB and runs the game contained within it.
>> >
>> > Under IE6 and IE7 on earlier platforms (XP, 2000, 98SE) this works just
>> > fine, but under Vista I'm seeing two problems:
>> >
>> > 1) The verify signature dialog does display for the game, but it does
>> > not
>> > display the publisher information (it shows as untrusted)
>> > 2) About half of the cab extraction succeeds and then I get an error
>> > code
>> > 3
>> > (this is from SetupIterateCabinetA). I think it is possible this is
>> > happening once the virtualized file names approach MAX_PATH, but that's
>> > just
>> > a guess so far.
>> >
>> > Turning off protected mode fixes both of these problems.
>> >
>> > I can give a link to the control if necessary, but I would prefer not
>> > to
>> > post it on the newsgroup. Please contact me at <first initial last
>> > name
>> > at
>> > mind-control.com>
>> >
>> > Any help would be appreciated!
>> >
>> > Thanks,
>> > Matthew Douglass
>> > Mind Control Software, Inc.

>>