Share via


What does ielowutil.exe have to do with Internet Explorer 8.0?

Hi everyone!

 

Let’s start off by providing a little history around the challenges seen with Protected Mode and Internet Explorer (first introduced with Internet Explorer 7).  In Microsoft Windows Vista, Windows Internet Explorer 7 runs, by default, in Protected Mode.   This helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.

 

Protected Mode IE separates the temporary/persistent data that IE saves from regular LUA (Limited User Account) IE and elevated IE. This is to prevent cross IE injection paths, keeping users secure. However, one of the most significant application compatibility issues remaining with Internet Explorer’s Protected Mode and the low integrity architecture is sharing of cookie data between low and higher integrity processes.

When using winINET APIS, a low process like IE’s Protected Mode can only create and manipulate cookies in the low integrity cookie store: \%USER PROFILE%\Cookies\Low. Similarly, medium integrity (or higher)processes like most applications running on Vista can only create and manipulate cookies in the medium integrity cookie store \%USER PROFILE%\Cookies. As a result, applications that rely on IE to download and share cookies are broken because they do not automatically have access to IE’s cookies.

Here’s an example compatibility issue:

Contoso Networks ships a VPN appliance that connects clients to a server through an SSL connection. Users browse to their company’s SharePoint server through Contoso’s SSL VPN.

When the user logs-in, the server sends back a cookie, which gets stored in Protected Mode’s low integrity cookie folder. Office apps like Word can’t find the cookie since they’re running with medium integrity and can only see the medium integrity cookie folder. As a result Contoso adds their servers to IE’s Trusted Sites list so that they won’t run in Protected Mode and cookies will be downloaded to the medium integrity cookie folder. They’d prefer not to add their sites to the Trusted Sites list.

To work around this issue some vendors ship Browser Helper Objects (BHOs), which run in IE, get a downloaded cookie, and share it with their higher integrity application. This approach is not optimal for two main reasons:

  1. BHO’s have a negative performance impact to the browser and
  2. Based on historical data, 3rd party binary code running in the browser is the top cause for reliability and security problems.

Another workaround is to add the websites that write cookies into IE’s Trusted Sites list so that they run out of Protected Mode and write to the medium integrity cookie store. This is not a viable option in many cases, in live messenger for example, the URL is a link that users send to their buddies, adding this to trusted sites to the buddy is not an expected or desirable outcome.

Fortunately, the behavior changes available with installation of Internet Explorer 8.0 provides a much better solution for sharing cookies across integrity level using the IELowUtil.exe process.  IE 8 takes advantages of two new APIs for getting and settings cookies that can be shared across integrity levels:

The the above functions call the standard InternetGetCookie() and ExInternetSetCookieEx() functions from a higher-integrity user context to retrieve or create a cookie with a specified name that is associated with a specified URL.  The signature and behavior of these two APIs will match the winINET APIs:

Reference:

Protected Mode Internet Explorer Reference

 

So the short answer is that IELowUtil.exe is the broker process that handles operations which require processing at a Low Integrity level.  Hopefully this was informative and provides a historical reference regarding this behavior change.

Regards,

The IE Team

Comments

  • Anonymous
    April 19, 2009
    Great description. I have an Outlook Addin and am trying to use the IEGetProtectedModeCookie function without success. The app is written in VB6. The declaration & code is listed below. I am getting an error saying the entry point cannot be found. Any suggestions?Private Declare Function IEGetProtectedModeCookie Lib "ieframe.dll" _  Alias "IEGetProtectedModeCookieA"_   (ByVal lpszURLName As String, _   ByVal lpszCookieName As String, _   ByVal pszCookieData As String, _   pcchCookieData As Long, _   dwFlags As Long) As LonglReturn = IEGetProtectedModeCookie("http://www.jcstechnologeis.com", "", strBuffer, CkSz, 0)
  • Anonymous
    May 14, 2009
    Great description. As a suggestion, placing the short answer at the top might satisfy the reader's initial curiosity.
  • Anonymous
    May 15, 2009
    I am running win7 64 bit on a 2.6 intel dual core processor. I have encountered an unusual problem that has forced me to start using firefox instead of ie, every time I start ie, ielowutil.exe starts and ielowutil.exe is using about 50% of my processor, and when it starts, ie is using about 50% of my resources as well. needless to say, that makes everything come to a screaching hault and I was having to go into task manager and shut them both down. Now ielowutil.exe is still starting up ocationally for some reason, so I need to go into task manager 2-3 times a day and turn it off ... help
  • Anonymous
    June 05, 2009
    On my PC, when I log in there is a msfeedsync process that starts. It creates a IELowutil.exe sub-process.When msfeedsync terminate, IELowutil keeps running (although no IE process has been launched)Why?
  • Anonymous
    September 21, 2009
    The comment has been removed
  • Anonymous
    November 26, 2009
    after installing W7 family I receive pop up error messages :ielowutil.exeinternet low-mic utility tool"This application has requested the runtime to terminate it in an unusual way.Please contact the application's support team for more information."I do not understand the problem and, obviously, don't see how to cure it.Thanks for your helpMichel
  • Anonymous
    November 28, 2009
    I am getting exactly the same error message as Michel Aronssohn. I have had it ever since I installed W7 on 19th October. Because I have been busy I have ignored it, but today thought I would try to sort it, but without success. Any ideas anyone?
  • Anonymous
    December 04, 2009
    I'm getting the popup error too, and I'm not using IE.Taskbar icon: The normal IE 8 iconWindow title: Microsoft Visual C++ Runtime LibraryRuntime Error!Program: C:Program Files (x86)Internet ExplorerIELowutil.exeThis application has requested the Runtime to terminate it in an unusual way.Please contact the application's support team for more information.
  • Anonymous
    December 25, 2009
    Found this if it is any help:-<http://www.pcpitstop.com/libraries/process/i/IELowutil.exe.html>
  • Anonymous
    February 22, 2010
    The comment has been removed
  • Anonymous
    February 22, 2010
    To clarify, msfeedssync appears to be the "Parent" object calling ielowutil.exe and it calls the 32 bit which I do_not_want_running_under_any_circumstances_period. Is there a way to force this to use the 64 bit version of the file?I mean, why is there a 64 bit version of this file if it is never used?If I had had to code that, I would be very upset it wasn't called when the 64 bit browser is opened.
  • Anonymous
    March 29, 2010
    The comment has been removed
  • Anonymous
    April 14, 2010
    The comment has been removed
  • Anonymous
    April 17, 2010
    I've got gigs and gigs of dump files and network captures and video of the screen showing this is some kind of vulnerability.The thing that should concern Windows users is I am disabled and suspect I'm being hacked and Microsoft says they don't patch until some threshold of hacking / expoiting is met.Yes, Reggie - a legitimate question about process handling / creation, simple yet technical enough for these people to understand seems ignored. I won't say they are idiots, but I will say they don't appear to care too much about the customers who purchase their software and thus pay them their wages.The more time passes, the more I support Charlie Miller telling Microsoft to find Windows bug on their own. I want $10,000 for the one I found and posted here like Charlie Miller gets.
  • Anonymous
    April 17, 2010
    Oh, and I've got more than just this one bug to report. Microsoft can BEG me for the data I have.im_afk [where?] yahoo.comI check that once per week.
  • Anonymous
    April 19, 2010
    Windows 7 warned me that the ielowutil.exe has caused a delay while putting the computer to sleep.I checked the events log and I can see multiples references to that executable.This application caused a delay during standby:    File Name : ielowutil.exe    Friendly Name : Internet Low-Mic Utility Tool    Version : 8.00.7600.16385 (win7_rtm.090713-1255)    Total Time : 3531ms    Degradation Time : 2531ms    Incident Time (UTC) : ‎2010‎-‎04‎-‎14T12:18:38.370517800ZThis Windows installation is fresh (April 6). I am not using IE as my main browser.
  • Anonymous
    August 21, 2010
    I am puzzled with BHO's! If Microsoft is claiming BHO's are not optimal and provide a possible security risk then why is Bing Toolbar by Microsoft using BHO?
  • Anonymous
    October 13, 2010
    The comment has been removed
  • Anonymous
    October 13, 2010
    The comment has been removed
  • Anonymous
    November 03, 2010
    C RichesDon't delete that file, re-read what it does in this blog.  If you have to close it for some odd reason, then your install is fobar'ed, and you should reimage.Mike CYou also sell bridges in new york, don't you?F Scheltens IE and Chrome are the only two browsers I know of that use MIC levels.  If the program doesn't use the file, then it's not going to "clutter" your system.  Even programs loaded are not clutter; if they're not called, then they will be swapped out of physical ram at some point anyways, so there's no performance gain by having a "clutter free" system.  You need to focus more on removing all the extra active applications that so many people use.
  • Anonymous
    May 08, 2013
    PID: 4640 (4812) C:Program Files (x86)Internet ExplorerIELowutil.exesize: 115712HELLO ?  i don't even use IE at all i use Chrome, so it must be locked in a hmm background file and take up space like what's his name up there said - unless it is meant for running Windows Vista i highly doubt we need it if we don't use IE, it's left over so when you click on something with IE mentioned it will automatically relog you with ie instead of firefox etc. chromeyeah so when will i know someone is gonna read mine?Kel
  • Anonymous
    July 08, 2013
    The comment has been removed
  • Anonymous
    December 02, 2013
    So I think what would clear up a lot of suspicion is confirming that low-mic is actually low-medium_integrity_cookie?  No? Yes?
  • Anonymous
    July 22, 2016
    IELowuti.exe keeps appearing on my screen with the notation unable to start the application???Anyone know what is going on, like a malware attack. I do run Win 10 in protected mode.
    • Anonymous
      August 22, 2016
      @Ken VolzCheck for Add-ons and see if one of those is invoking your scenario.You can start IExplore without Add-on and see if that helps.When looking at the process from Task Manager, right click on it and see where is the path for the process. It should fall within the IE Folder location. C:\Program Files\Internet ExplorerC:\Program Files (x86)\Internet Explorer
  • Anonymous
    November 16, 2016
    See, this explanation is missing a key piece of information. IELowUtil.exe is the file name for the Internet Low MIC Utility, where MIC in turn refers to "Medium Integrity Cookie", not "microphone". A huge number of people freak-out and think that this is spyware, not a mundane driver for cookies.