Application Compatibility - IE7 Protected Mode

Application Compatibility - IE7 Protected Mode

  • Comments 8
  • Likes

On Windows Vista, Internet Explorer 7 runs in Protected Mode, which can help protect users from attack by running the Internet Explorer process with greatly restricted privileges.  Protected Mode significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code.  It can help protect a user from malicious code installing itself without authorization.  This is the default mode for Internet Explorer when Windows Vista is installed.

OK - so how exactly will this problem manifest itself?

  • Applications that use Internet Explorer 7 will not be able to write directly to disk while in the Internet or Intranet zone.
  • Applications may not know how to handle new prompts.

Protected Mode builds on the new integrity mechanism to restrict write access to securable objects like processes, files, and registry keys with higher integrity levels.  When run in Protected Mode, Internet Explorer is a low-integrity process; it cannot gain write access to files and registry keys in a user's profile or system locations.

Low-integrity processes can only write to folders, files, and registry keys that have been assigned a low-integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which can only write to low-integrity locations, such as the new low-integrity Temporary Internet Files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folders.

Furthermore, the Protected Mode process runs with a low desktop integrity level, which will prevent it from sending specific window messages to higher integrity processes.

By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the amount of damage that can be caused by a compromised Internet Explorer process or malware.  An attacker cannot, for example, silently install a keystroke logger to the user's Startup folder. Likewise, a compromised process cannot manipulate applications on the desktop through window messages.

Of course, these defenses also limit legitimate changes to higher integrity locations.  As a result, Protected Mode provides a compatibility architecture that reduces the impact on existing extensions, as shown in the following figure.

A compatibility layer handles the needs of many existing extensions.  It intercepts attempts to write to medium integrity resources, such as the My Documents folder in the user profile and the HKEY_CURRENT_USER registry hive.  The compatibility layer uses a generic Windows compatibility fix to automatically redirect these operations to the following low-integrity locations:

  • %userprofile%\LocalSettings\Temporary Internet Files\Virtualized
  • HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\InternetRegistry

Two higher privilege broker processes allow Internet Explorer and extensions to perform elevated operations given user consent. For example, the user privilege broker (IEUser.exe) process provides a set of functions that let the user saves files to areas outside of low-integrity areas.  In addition, an administrator privilege broker (IEInstal.exe) process allows Internet Explorer to install ActiveX controls.

So what are some ways you might be able to resolve this issue?  There are two Quick solutions - one of which is not recommended as your long-term solution!

  • Add the site in question to the trusted sites list. 
  • Turn off Protected Mode (not recommended as a long term solution!).

In terms of Compatibility testing, you should add the site to the Trusted Sites list and ensure that the application can perform the dependent functions on a clean Windows XP SP2 machine with IE7 loaded.  If the problem only occurs on Windows Vista, then you could be experiencing the issue due to the changes implemented with Protected Mode.

In the long-term, the best solution would be to modify the application to handle Protected Mode correctly, including any related prompts that may be displayed.  However - many developers and IT Administrators will be tempted to simply turn off Protected Mode.  We strongly urge you to not do this - especially as your long-term solution!

Additional Resources:

 - CC Hameed

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Im happy to see that even though you guys dont really agree with using this too much you still inform us of it. again, great work!

  • I have IPC remoting BHO. It can not run with protected mode of IE7. I don't know how to pass through protected mode. Can you help me?

  • Windows Vista

    IE7 will not work in protected mode after a couple of weeks after being installed.

    A message come up stating that it is looking for a solution and will not open.

    Reinstallation (unsatisfactory) clears the problem for a couple of weeks.

    If the programme is opened as administrator, it will open without protection but only for that usage.

    In any case, links from Microsoft Mail fail to open.

    The net is full of similar complaints and Microsoft could not help with a solution.

    Do you have any idea of the problem and the solution.

    Thanks

  • Harvey -

    I would recommend opening up a case with Microsoft Support - however, if I'm reading this correctly, it seems that you have two different issues occurring:

    1) IE7 fails to open in Protected Mode for non-administrators.  I suspect that this may be an add-on that is misbehaving.  Try changing your home page to a simple local HTML page (something like Hello World!), and then running IE as a non-admin using the following command: iexplore -extoff.  If IE opens successfully, then switch the homepage to something like www.live.com and open IE using the -extoff switch again.  If these both work, then you need to figure out which add-on / site is causing the problem.

    2) With respect to the Mail links not working, I'm not 100% sure regarding this issue - I've not had issues with hyperlinks in Office 2007, but again, this would probably be best served through a support incident as there may be circumstances unique to your environment etc.

    - CC Hameed

  • le,anhphuong -

    This is really more of an IE Development question.  Depending on what the BHO is trying to do, then it may not be possible with the default IE configuration, and may need some recoding so that it can work in conjunction with Protected Mode.  Based on the information you've provided so far, I'm guessing that your BHO works fine with IE7 on XP.

    However, you should probably open up a support incident and request to speak with our IE Developers to figure out the best course of action.

    - CC Hameed

  • Thanks cchameed for you advised. I tried many ways but I still in dark

  • Anh Phuong -

    I think you would be best served by opening up a case with Microsoft Support and working with our IE Developers to troubleshoot your BHO Issue.

    - CC Hameed

  • I have a program that will only work with IE6 because it is not compatible with IE7 - my guess is that the protected mode may have something to do with it. I am unable to unistall the IE7 or downgrade from IE7 to IE6 because it is on a Vista machine - what can I do to allow my program to work with IE7? Is it possible?