Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Protected Mode and Signed ActiveX Plugins

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 01-29-2008
shalayka@gmail.com
 

Posts: n/a
Protected Mode and Signed ActiveX Plugins
With Protected Mode enabled, our signed plugins no longer operate as
they should due to limitations on where they can write files, etc.

Is there any way to get around this programmatically, without the
user
having to disable Protected Mode manually?

I must admit that I appreciate Microsoft's continued efforts
regarding
security, but the entire point of having signed plugins was so that
the user could explicitly grant trust to the plugin. Unsigned plugins
were not allowed by default in IE6. I'm not sure who thought that was
inadequate.

- Shawn
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 01-30-2008
Mark
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins
Starting on page 70:
http://download.microsoft.com/downlo...UACDevReqs.doc


<shalayka@gmail.com> wrote in message
news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
> With Protected Mode enabled, our signed plugins no longer operate as
> they should due to limitations on where they can write files, etc.
>
> Is there any way to get around this programmatically, without the
> user
> having to disable Protected Mode manually?
>
> I must admit that I appreciate Microsoft's continued efforts
> regarding
> security, but the entire point of having signed plugins was so that
> the user could explicitly grant trust to the plugin. Unsigned plugins
> were not allowed by default in IE6. I'm not sure who thought that was
> inadequate.
>
> - Shawn



Reply With Quote
  #3 (permalink)  
Old 01-30-2008
shalayka@gmail.com
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins
Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20*am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> Starting on page 70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
> <shala...@gmail.com> wrote in message
>
> news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > With Protected Mode enabled, our signed plugins no longer operate as
> > they should due to limitations on where they can write files, etc.

>
> > Is there any way to get around this programmatically, without the
> > user
> > having to disable Protected Mode manually?

>
> > I must admit that I appreciate Microsoft's continued efforts
> > regarding
> > security, but the entire point of having signed plugins was so that
> > the user could explicitly grant trust to the plugin. Unsigned plugins
> > were not allowed by default in IE6. I'm not sure who thought that was
> > inadequate.

>
> > - Shawn


Reply With Quote
  #4 (permalink)  
Old 01-30-2008
Mark
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins
I will assume the ActiveX installation troubleshooting on page 78-82 didn't
help either.
Which would have led you here:
http://msdn2.microsoft.com/en-us/library/aa370813.aspx
Pay special attention to finding Vista folder paths.

Additionally, ActiveX needs to use Brokered Services for elevated tasks:
http://search.msdn.microsoft.com/sea...=00&lang=en-us
(I don't know which of these really apply, but there is a generic theme
related to your problem.)

Or, possibly:
In Vista, with UAC enabled, IE will refuse to run any code not packaged in
the CAB file.
If the hook statement contains a parameter with path, you need to put three
double quotes around the EXE.
For example:

[preInstall]
run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
(This will work in XP and 2000 also.)



<shalayka@gmail.com> wrote in message
news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> Starting on page

70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
> <shala...@gmail.com> wrote in message
>
> news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...
>
> > With Protected Mode enabled, our signed plugins no longer operate as
> > they should due to limitations on where they can write files, etc.

>
> > Is there any way to get around this programmatically, without the
> > user
> > having to disable Protected Mode manually?

>
> > I must admit that I appreciate Microsoft's continued efforts
> > regarding
> > security, but the entire point of having signed plugins was so that
> > the user could explicitly grant trust to the plugin. Unsigned plugins
> > were not allowed by default in IE6. I'm not sure who thought that was
> > inadequate.

>
> > - Shawn



Reply With Quote
  #5 (permalink)  
Old 01-31-2008
shalayka@gmail.com
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins
Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39*pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> I will assume the ActiveX installation troubleshooting on page 78-82 didn't
> help either.
> Which would have led you here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevated tasks:http://search.msdn.microsoft.com/sea...ery=broker+act...
> (I don't know which of these really apply, but there is a generic theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not packaged in
> the CAB file.
> If the hook statement contains a parameter with path, you need to put three
> double quotes around the EXE.
> For example:
>
> * [preInstall]
> * * run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
> <shala...@gmail.com> wrote in message
>
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:> Starting on page
>
> 70:http://download.microsoft.com/downlo...073-42f9-932b-....
>
>
>
> > <shala...@gmail.com> wrote in message

>
> >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...

>
> > > With Protected Mode enabled, our signed plugins no longer operate as
> > > they should due to limitations on where they can write files, etc.

>
> > > Is there any way to get around this programmatically, without the
> > > user
> > > having to disable Protected Mode manually?

>
> > > I must admit that I appreciate Microsoft's continued efforts
> > > regarding
> > > security, but the entire point of having signed plugins was so that
> > > the user could explicitly grant trust to the plugin. Unsigned plugins
> > > were not allowed by default in IE6. I'm not sure who thought that was
> > > inadequate.

>
> > > - Shawn


Reply With Quote
  #6 (permalink)  
Old 01-31-2008
Mark
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins
"I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem."

This issue you are experiencing is not a matter of being signed, or not
signed. It's Vista and IE7 permission levels to run elevated tasks from
within IE7 while in protected mode. All ActiveX is given the lowest level of
access until installed properly while in Protected Mode. (Hence, it works
when not in protected mode.) This lowest level means any functions called
requiring higher elevation fail unless the user acknowledges the task as
appropriate. The user will not receive a prompt unless the installation
follows the required protocols. Without the prompt, this simply fails to
install.

So, there are two areas of concern:
First, assuming the user gets a prompt, is the "silent failure" caused when
the user may have moved their Documents folder away from the default. As a
result, the XP/2000 commands may not work in Vista and attempts to write to
the Documents folder may produce Error 1320 (if ran as administrator), or no
errors posted (if run as user):
http://msdn2.microsoft.com/en-us/lib...06(VS.85).aspx

Second, creating a folder in a user's profile (Documents folder) is an
elevated task (as is registering the DLL), so I mentioned brokering
services. Please see the following link on this functionality while in
protected mode:
http://msdn2.microsoft.com/en-us/library/bb250462.aspx

I suspect, the second article is closest to your solution. (I only mentioned
the external executable because on occassion, DLLs have been known to seek
external functions.)

Using the following search on MSDN, I found 147 hits: (broker activex dll
vista signed)
http://search.msdn.microsoft.com/sea...20dll%20signed

The links provided in the other messages give more information on this path.

Good luck,
(I'll let someone else chime in since I'm running into a dead end for you.)

Mark




<shalayka@gmail.com> wrote in message
news:659417c8-aad2-4fde-9184-66e607080944@j78g2000hsd.googlegroups.com...
Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39 pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:
> I will assume the ActiveX installation troubleshooting on page 78-82

didn't
> help either.
> Which would have led you

here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevated

tasks:http://search.msdn.microsoft.com/sea...ery=broker+act.
...
> (I don't know which of these really apply, but there is a generic theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not packaged in
> the CAB file.
> If the hook statement contains a parameter with path, you need to put

three
> double quotes around the EXE.
> For example:
>
> [preInstall]
> run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
> <shala...@gmail.com> wrote in message
>
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com...
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:>

Starting on page
>
>

70:http://download.microsoft.com/downlo...073-42f9-932b-...
>
>
>
> > <shala...@gmail.com> wrote in message

>
> >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...

>
> > > With Protected Mode enabled, our signed plugins no longer operate as
> > > they should due to limitations on where they can write files, etc.

>
> > > Is there any way to get around this programmatically, without the
> > > user
> > > having to disable Protected Mode manually?

>
> > > I must admit that I appreciate Microsoft's continued efforts
> > > regarding
> > > security, but the entire point of having signed plugins was so that
> > > the user could explicitly grant trust to the plugin. Unsigned plugins
> > > were not allowed by default in IE6. I'm not sure who thought that was
> > > inadequate.

>
> > > - Shawn



Reply With Quote
  #7 (permalink)  
Old 05-21-2008
RFaux
 

Posts: n/a
Re: Protected Mode and Signed ActiveX Plugins

Mark;591241 Wrote:
> I will assume the ActiveX installation troubleshooting on page 78-82
> didn't
> help either.
> Which would have led you here:
> 'Per-user Installations (Windows)'
> (http://msdn2.microsoft.com/en-us/library/aa370813.aspx)
> Pay special attention to finding Vista folder paths.
>
> Additionally, ActiveX needs to use Brokered Services for elevated
> tasks:
> 'MSDN Enhanced Search'
> (http://search.msdn.microsoft.com/sea...=00&lang=en-us)
> (I don't know which of these really apply, but there is a generic
> theme
> related to your problem.)
>
> Or, possibly:
> In Vista, with UAC enabled, IE will refuse to run any code not packaged
> in
> the CAB file.
> If the hook statement contains a parameter with path, you need to put
> three
> double quotes around the EXE.
> For example:
>
> [preInstall]
> run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
> (This will work in XP and 2000 also.)
>
>
>
> <shalayka@xxxxxx> wrote in message
> news:baf74454-cb38-44b5-9f69-e2d630241c9a@xxxxxx
> Hi Mark,
>
> Thank you for this document.
>
> Neither the Visual Studio 2008 automatic manifest insertion via Linker
> options, nor a manually inserted manifest resource causes a UAC popup
> to occur (as hoped). I have tried the three obvious parameters:
> asInvoker, highestAvailable, requireAdministrator.
>
> - Shawn
>
>
>
>
> On Jan 30, 7:20 am, "Mark" <jmhonz...@xxxxxx> wrote:
> 70:http://download.microsoft.com/downlo...073-42f9-932b-...



I want to thank Shawn for this helpful info! - highlighted in red.
This small change allows my cab file to run on Vista with the UAC on.
Question - what does simply addding some quotes in the .inf file do?

Thanks again


--
RFaux
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Protected Mode PA Bear [MS MVP] microsoft.public.windows.vista.security 17 02-17-2008 04:25
Protected mode ON vs Protected mode OFF StephaneR microsoft.public.windows.vista.security 6 12-12-2007 17:11
Launching medium integrity process from activex in IE protected mode fleet_captain@hotmail.com microsoft.public.windows.vista.security 0 11-16-2007 09:01
Re: mailto from Protected Mode: Off to Protected Mode: On Robert Aldwinckle microsoft.public.windows.vista.mail 4 09-18-2007 13:56
BSOD - just started - safe mode works perfect - all drivers signed =?Utf-8?B?bWlja3J1c3NvbQ==?= microsoft.public.windows.vista.general 11 04-13-2007 19:51




All times are GMT +1. The time now is 02:29.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120