Protected Mode and Signed ActiveX Plugins

Posted: 01-29-2008, 09:22 PM
With Protected Mode enabled, our signed plugins no longer operate as
they should due to limitations on where they can write files, etc.

Is there any way to get around this programmatically, without the
user
having to disable Protected Mode manually?

I must admit that I appreciate Microsoft's continued efforts
regarding
security, but the entire point of having signed plugins was so that
the user could explicitly grant trust to the plugin. Unsigned plugins
were not allowed by default in IE6. I'm not sure who thought that was
inadequate.

- Shawn

Protected Mode and Signed ActiveX Plugins


Responses to "Protected Mode and Signed ActiveX Plugins"

Mark
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 01-30-2008, 01:20 PM
Starting on page 70:
http://download.microsoft.com/downlo...UACDevReqs.doc


<shalayka@gmail.com> wrote in message
news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
> With Protected Mode enabled, our signed plugins no longer operate as
> they should due to limitations on where they can write files, etc.
>
> Is there any way to get around this programmatically, without the
> user
> having to disable Protected Mode manually?
>
> I must admit that I appreciate Microsoft's continued efforts
> regarding
> security, but the entire point of having signed plugins was so that
> the user could explicitly grant trust to the plugin. Unsigned plugins
> were not allowed by default in IE6. I'm not sure who thought that was
> inadequate.
>
> - Shawn

shalayka@gmail.com
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 01-30-2008, 02:55 PM
Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20*am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> Starting on page 70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
> <shala...@gmail.com> wrote in message
>
> news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > With Protected Mode enabled, our signed plugins no longer operate as
> > they should due to limitations on where they can write files, etc.
>
> > Is there any way to get around this programmatically, without the
> > user
> > having to disable Protected Mode manually?
>
> > I must admit that I appreciate Microsoft's continued efforts
> > regarding
> > security, but the entire point of having signed plugins was so that
> > the user could explicitly grant trust to the plugin. Unsigned plugins
> > were not allowed by default in IE6. I'm not sure who thought that was
> > inadequate.
>
> > - Shawn
Mark
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 01-30-2008, 08:39 PM
I will assume the ActiveX installation troubleshooting on page 78-82 didn't
help either.
Which would have led you here:
http://msdn2.microsoft.com/en-us/library/aa370813.aspx
Pay special attention to finding Vista folder paths.

Additionally, ActiveX needs to use Brokered Services for elevated tasks:
http://search.msdn.microsoft.com/sea...=00&lang=en-us
(I don't know which of these really apply, but there is a generic theme
related to your problem.)

Or, possibly:
In Vista, with UAC enabled, IE will refuse to run any code not packaged in
the CAB file.
If the hook statement contains a parameter with path, you need to put three
double quotes around the EXE.
For example:

[preInstall]
run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
(This will work in XP and 2000 also.)



<shalayka@gmail.com> wrote in message
news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> Starting on page
70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
> <shala...@gmail.com> wrote in message
>
> news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > With Protected Mode enabled, our signed plugins no longer operate as
> > they should due to limitations on where they can write files, etc.
>
> > Is there any way to get around this programmatically, without the
> > user
> > having to disable Protected Mode manually?
>
> > I must admit that I appreciate Microsoft's continued efforts
> > regarding
> > security, but the entire point of having signed plugins was so that
> > the user could explicitly grant trust to the plugin. Unsigned plugins
> > were not allowed by default in IE6. I'm not sure who thought that was
> > inadequate.
>
> > - Shawn

shalayka@gmail.com
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 01-31-2008, 03:48 PM
Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39*pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> I will assume the ActiveX installation troubleshooting on page 78-82 didn't
> help either.
> Which would have led you here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevated tasks:http://search.msdn.microsoft.com/sea...ery=broker+act...
> (I don't know which of these really apply, but there is a generic theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not packaged in
> the CAB file.
> If the hook statement contains a parameter with path, you need to put three
> double quotes around the EXE.
> For example:
>
> * [preInstall]
> * * run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
> <shala...@gmail.com> wrote in message
>
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:> Starting on page
>
> 70:http://download.microsoft.com/downlo...073-42f9-932b-....
>
>
>
> > <shala...@gmail.com> wrote in message
>
> >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > > With Protected Mode enabled, our signed plugins no longer operate as
> > > they should due to limitations on where they can write files, etc.
>
> > > Is there any way to get around this programmatically, without the
> > > user
> > > having to disable Protected Mode manually?
>
> > > I must admit that I appreciate Microsoft's continued efforts
> > > regarding
> > > security, but the entire point of having signed plugins was so that
> > > the user could explicitly grant trust to the plugin. Unsigned plugins
> > > were not allowed by default in IE6. I'm not sure who thought that was
> > > inadequate.
>
> > > - Shawn
Mark
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 01-31-2008, 04:46 PM
"I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem."

This issue you are experiencing is not a matter of being signed, or not
signed. It's Vista and IE7 permission levels to run elevated tasks from
within IE7 while in protected mode. All ActiveX is given the lowest level of
access until installed properly while in Protected Mode. (Hence, it works
when not in protected mode.) This lowest level means any functions called
requiring higher elevation fail unless the user acknowledges the task as
appropriate. The user will not receive a prompt unless the installation
follows the required protocols. Without the prompt, this simply fails to
install.

So, there are two areas of concern:
First, assuming the user gets a prompt, is the "silent failure" caused when
the user may have moved their Documents folder away from the default. As a
result, the XP/2000 commands may not work in Vista and attempts to write to
the Documents folder may produce Error 1320 (if ran as administrator), or no
errors posted (if run as user):
http://msdn2.microsoft.com/en-us/lib...06(VS.85).aspx

Second, creating a folder in a user's profile (Documents folder) is an
elevated task (as is registering the DLL), so I mentioned brokering
services. Please see the following link on this functionality while in
protected mode:
http://msdn2.microsoft.com/en-us/library/bb250462.aspx

I suspect, the second article is closest to your solution. (I only mentioned
the external executable because on occassion, DLLs have been known to seek
external functions.)

Using the following search on MSDN, I found 147 hits: (broker activex dll
vista signed)
http://search.msdn.microsoft.com/sea...20dll%20signed

The links provided in the other messages give more information on this path.

Good luck,
(I'll let someone else chime in since I'm running into a dead end for you.)

Mark




<shalayka@gmail.com> wrote in message
news:659417c8-aad2-4fde-9184-66e607080944@j78g2000hsd.googlegroups.com...
Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39 pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> I will assume the ActiveX installation troubleshooting on page 78-82
didn't
> help either.
> Which would have led you
here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevated
tasks:http://search.msdn.microsoft.com/sea...ery=broker+act.
...
> (I don't know which of these really apply, but there is a generic theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not packaged in
> the CAB file.
> If the hook statement contains a parameter with path, you need to put
three
> double quotes around the EXE.
> For example:
>
> [preInstall]
> run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
> <shala...@gmail.com> wrote in message
>
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:>
Starting on page
>
>
70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
>
>
> > <shala...@gmail.com> wrote in message
>
> >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > > With Protected Mode enabled, our signed plugins no longer operate as
> > > they should due to limitations on where they can write files, etc.
>
> > > Is there any way to get around this programmatically, without the
> > > user
> > > having to disable Protected Mode manually?
>
> > > I must admit that I appreciate Microsoft's continued efforts
> > > regarding
> > > security, but the entire point of having signed plugins was so that
> > > the user could explicitly grant trust to the plugin. Unsigned plugins
> > > were not allowed by default in IE6. I'm not sure who thought that was
> > > inadequate.
>
> > > - Shawn

RFaux
Guest
Posts: n/a
 
Re: Protected Mode and Signed ActiveX Plugins
Posted: 05-21-2008, 06:44 PM

Mark;591241 Wrote:
> I will assume the ActiveX installation troubleshooting on page 78-8
> didn't
> help either.
> Which would have led you here:
> 'Per-user Installations (Windows)
> (http://msdn2.microsoft.com/en-us/library/aa370813.aspx)
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevate
> tasks:
> 'MSDN Enhanced Search
> (http://search.msdn.microsoft.com/sea...=00&lang=en-us)
> (I don't know which of these really apply, but there is a generi
> theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not package
> in
> the CAB file.
> If the hook statement contains a parameter with path, you need to pu
> three
> double quotes around the EXE.
> For example:
>
> [preInstall]
> run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
>
>
> <shalayka@xxxxxx> wrote in message
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@xxxxxx
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
>
>
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@xxxxxx> wrote:
> 70:http://download.microsoft.com/downlo...073-42f9-932b-...

I want to thank Shawn for this helpful info! - highlighted in red.
This small change allows my cab file to run on Vista with the UAC on.
Question - what does simply addding some quotes in the .inf file do?

Thanks again :

--
RFaux
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Protected mode ON vs Protected mode OFF StephaneR Windows Vista Security 6 12-12-2007 04:11 PM
Launching medium integrity process from activex in IE protected mode fleet_captain@hotmail.com Windows Vista Security 0 11-16-2007 08:01 AM
mailto from Protected Mode: Off to Protected Mode: On Robert Aldwinckle Windows Vista Mail 4 09-18-2007 12:56 PM
IE 7 Protected Mode: Off Rev OOC Windows Vista Security 1 08-05-2007 10:20 PM
File Virtualization in IE7+ Protected Mode breaking my ActiveX Con Matthew Douglass Windows Vista Security 4 05-31-2006 12:27 PM