Jaa

New API Smoothes Extension Development in Protected Mode

  • Artikkeli

As extension developers write their code to work in Protected Mode IE7, we’ve received some feedback that points out challenges with upgrades or installer changes that require users to close and restart IE. Yesterday, we shipped a new API that will help developers address this problem.

With Protected Mode Internet Explorer, we introduced the idea of elevation policies - a series of registry keys and values that tell Protected Mode how to handle elevation for a specific extension’s broker process. Protected Mode normally runs the Internet Explorer process with lower privileges. In general, extensions should operate as low integrity processes. However, some extensions require access to medium or high integrity objects. Because of this, extensions can be configured during installation to run with a higher privilege level by creating an elevation policy that is associated with them in the registry. To learn more about integrity levels, broker processes, and how to work in Protected Mode, visit the MSDN Internet Explorer Development Technical Article on the topic.

Prior to this new API, whenever an extension installer modifies or adds to the elevation policy outside of the currently running Internet Explorer process, the installed registry changes are not reflected as part of that process. To end the current process, Internet Explorer needs to be closed and restarted. On restart, Internet Explorer is then able to pick up the new policy from the registry. I should note that this behavior only applies to extensions running within Protected Mode.

As part of the IE June Security Update we shipped yesterday, we’ve helped reduce the challenges developers faced with elevation policy. Extension developers can now eliminate the need to manually end and restart the IE process to refresh elevation policies whether it is part of an upgrade or an addition to their current installer’s elevation policy.  By calling the IERefreshElevationPolicy APIas part of your extension installer, the need for ending and restarting Internet Explorer is removed.

MSDN documentation is now available for the IERefreshElevationPolicy API with all of the necessary details to implement it effectively.

For a quick example of what this would look like in code, here is a sample of how to use the API:

HRESULT RefreshPolicies()
{
HRESULT hr = E_NOTIMPL;
HMODULE hDll = LoadLibrary(L"ieframe.dll");
if (NULL != hDll)
{
typedef HRESULT (*PFNIEREFRESHELEVATIONPOLICY)();
PFNIEREFRESHELEVATIONPOLICY pfnIERefreshElePol = (PFNIEREFRESHELEVATIONPOLICY) GetProcAddress(hDll, "IERefreshElevationPolicy");
if (pfnIERefreshElePol)
{
hr = pfnIERefreshElePol();
} else {
DWORD error = GetLastError();
hr = HRESULT_FROM_WIN32(error);
}
FreeLibrary(hDll);
} else {
DWORD error = GetLastError();
hr = HRESULT_FROM_WIN32(error);
}
return hr;
}

Jeremy Dallman
Program Manager

Sharath Udupa
IE Developer

edit: Add Sharath Udupa as post author

Comments

  • Anonymous
    June 13, 2007
    The comment has been removed

  • Anonymous
    June 13, 2007
    Why do you think Microsoft needed 5 years to add some features to XP (called Vista).

  • Anonymous
    June 13, 2007
    The comment has been removed

  • Anonymous
    June 13, 2007
    [quote] or better yet, just call: IERefreshElevationPolicy(); and have this method do the check to see if req'd. [/quote] Well, actually, the sample code reduces to IERefreshElevationPolicy(); plus:

  • error checking

  • run-time checking whether the API is present (since the program could be running on unpatched Vista, or even possibly older Windowses).

  • Anonymous
    June 13, 2007
    Complete unrelated to this post but when are you guys going to respond to the IE7 is slow compared to Safari/Firefox?

  • Anonymous
    June 13, 2007
    IE7の中からのプロセスの作成 その5 - Windows Vista/Internet Explorer 7

  • Anonymous
    June 13, 2007
    @Edwin Martin Windows Vista developed from Windows Server 2003 code and NOT XP

  • Anonymous
    June 14, 2007
    We are a plug-in vendor. We need the plug-in (OCX file installed via CAB) running in IE 7 in protected mode to be able to create a folder and write files into that folder on the user's Desktop or another location specified by the user. Currently, these folders/files are written to a virtualized location which is very confusing for users. Is there an API to do this?

  • Anonymous
    June 14, 2007
    Excellent, many thanks, deployed:  http://www.meadroid.com/scriptx/sxbeta.asp

  • Anonymous
    June 14, 2007
    Vlad, Take a look at the article at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp and specifically the section on "Saving Files to the User Profile" which should help. Thanks -Dave Massy

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 14, 2007
    Dave Massy: I've read the documentation but I am still not getting the full picture - sorry. From the docs, I gather we need to write to /Internet Explorer/Low Rights/ElevationPolicy and set Policy to 3. Is AppName = IEUser.exe? Also, the IESaveFile is for writing files. What about creating folders?

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    I noticed a speed improvements in IE7 for Vista, after I applied this patch

  • Anonymous
    June 18, 2007
    Status update on the public bug tracking system please.

  • Anonymous
    June 19, 2007
    The comment has been removed

  • Anonymous
    June 20, 2007
    @Josh Stodola: Have you tried running IE7 without extensions?  Buggy add-ons are the top source of problems.  See http://enhanceie.com/ie/troubleshoot.asp for a step-by-step guide to finding the addon causing your issue.

  • Anonymous
    June 21, 2007
    I see that Microsoft is making new fans with IE7! NOT. http://blogs.ittoolbox.com/c/programming/archives/javascript-myself-to-death-meet-the-ie-7-stupid-bar-17070 What is the fix to get the stupid security warning bar/popups to stop for a domain/IP that you specify. In particular, localhost, 127.0.0.1, 192.168.100.x etc. Thanks.

  • Anonymous
    June 21, 2007
    The comment has been removed

  • Anonymous
    June 21, 2007
    The comment has been removed

  • Anonymous
    June 24, 2007
    How about international guidelines, so that Third Party developers can avoid making the mistakes that Microsoft seems to be committed to repeating? For example: http://blogs.msdn.com/michkap/archive/2007/01/25/1526224.aspx

  • Anonymous
    June 24, 2007
    @Eric The bars say "The page wanted to do SOMETHING(we won't tell you!). Do you want to let it do SOMETHING and see what will happen?"