File Virtualization in IE7+ Protected Mode breaking my ActiveX Con

[Guest]

Hello,

I have just started working with Beta 2 of Vista and have been trying to fix
a problem I've found with the ActiveX control I'm developing that only
happens when running IE in Protected Mode and after some debugging, I believe
is related to the file virtualization feature.

A quick overview first -- we're a game company and the goal is to host our
games in the web browser. We've got a control that downloads a cab file
containing the game, lets the user verify the signature on the game, then
extracts the CAB and runs the game contained within it.

Under IE6 and IE7 on earlier platforms (XP, 2000, 98SE) this works just
fine, but under Vista I'm seeing two problems:

1) The verify signature dialog does display for the game, but it does not
display the publisher information (it shows as untrusted)
2) About half of the cab extraction succeeds and then I get an error code 3
(this is from SetupIterateCabinetA). I think it is possible this is
happening once the virtualized file names approach MAX_PATH, but that's just
a guess so far.

Turning off protected mode fixes both of these problems.

I can give a link to the control if necessary, but I would prefer not to
post it on the newsgroup. Please contact me at <first initial last name at
mind-control.com>

Any help would be appreciated!

Thanks,
Matthew Douglass
Mind Control Software, Inc.

 

[Josh]

Matthew,

I would highly recommend you revaluate your use of ActiveX. It is a sunset
technology that Microsoft is de-emphasising. It is also inherintly insecure
and is trying to write to areas like C:\windows\downloaded program files
that in the future users will be less likely to write too. This, if i am
not mistaken, will also not qualify for "logo".

anyway, Part of the "protected mode" IE is probably your problem. With
Protected mode enabled you are restricted to writing to only the TIF
(trusted internet files) folder. So your setup if probably failing to write
to a location and is unable to handle the event. I also beive IE is
compiled so as to not VERT (a manifest)


Josh
http://windowsconnected.com

 

[Josh]

http://msdn.microsoft.com/ie/default.aspx?pull=/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp


Q: Does UAP file and registry Virtualization apply to Protected Mode?

A: No, UAP Virtualization does not apply to Protected Mode and, therefore,
write access to Protected Mode extensions that write to sensitive areas will
not be redirected.

Protected Mode also does not have write access to the redirected or virtual
store for system areas. Extensions running in Protected Mode get an Access
Denied error when they attempt to write to sensitive system areas.

Q: Are there specific locations in the USER PROFILE or HKEY_CURRENT_USER
registry location that an extension in Protected Mode Internet Explorer can
not write to?

A: Yes, Internet Explorer-specific locations in the following USER PROFILE
folders or HKEY_CURRENT_USER registry locations will return an Access Denied
error:

Documents and Settings\%USER PROFILE%...
....\Local Settings\Temporary Internet Files
....\Local Settings\Temp
....\Local Settings\History
....\%USER PROFILE%\Favorites
....\%USER PROFILE%\Cookies

HKCU\Software\...
....\Classes
....\Microsoft\Windows
....\Microsoft\Internet Explorer

Furthermore, extensions that attempt to gain write access to securable
objects by using an API function in one of the following binaries will
receive Access Denied errors.


Internet Explorer binaries
BrowseUI.dll IEFrame.dll MsHtmlEd.dll ShDocVw.dll
DxtMsft.dll InetCpl.dll MsTime.dll UrlMon.dll
DxTrans.dll MsHtml.dll Peers.dll WinInet.dll
Other Binaries
AdvApi.dll CorPol.dll NtDll.dll WinTrust.dll
ComCtl32.dll Crypt32.dll SChannel.dll
ComDlg32.dll Kernel32.dll Secure32.dll

Josh
http://windowsconnected.com

 

[Guest]

Well if you've got another way I can host a DirectX-based game in the web
browser, please let me know -- I certainly wouldn't mind ditching ActiveX.

Anyway, I should have said this in my email, but my program is very careful
to only write to areas that it reasonably ought to have access to.
Specifically, only underneath CSIDL_APPDATA. And the writes are partially
successful -- about half the files written in that folder are able to be
extracted from the CAB before SetupIterateCabinetA fails with an error code 3.

 

[Josh]

I am not a coder, so can't give you a direct replacement, I have seen some
cool click once apps though...something to look into...

My recommendation would be to redo your setup as an MSI, that way you are
running as local system. You will lose the automation that ActiveX has
today on many systems, but you would lose that anyway as Microsoft
transitions to the more secure Windows Vista platform. Infact you will
probably end up with fewer prompts by going MSI.


Josh