How to write custom .adm and .admx administrative template files to provide an elevation policy for protected mode in Internet Explorer 7.0 (918239)


The information in this article applies to:

  • Microsoft Internet Explorer 7.0

Beta Information

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location where you downloaded the release.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

In Windows Vista, securable objects automatically inherit the integrity level of the process that created them. Therefore, files or registry keys have a low integrity when they are created in protected mode. This means that a low integrity process can obtain write permission to the objects it creates. However, a low integrity process cannot gain write permission to medium or to high integrity folders or files in the user's profile.

By default, when Microsoft Internet Explorer 7.0 runs in protected mode, the extensions cannot access medium integrity or high integrity objects. This provides the best protection against malicious software attacks. When an extension requires access to higher integrity objects, the default Internet Explorer 7.0 behavior is to prompt the user for elevation through a dialog box. If the user confirms the elevation, this creates a broker process with a higher integrity level. This broker process accesses the higher integrity object on behalf on Internet Explorer 7.0.

You can use the registry to override this default behavior so that the user is not prompted for elevation through a dialog box. This article describes how administrators can use .adm or .admx files to add the policy, "Enable customizing the elevation policy for Protected Mode," to enforce their desired elevation policy behavior for different applications.

INTRODUCTION

Elevation policy registry organization


You can create a broker GUID with the following values and change the default elevation policy:
  • AppName: A REG_SZ value for the executable file name.
  • AppPath: A REG_SZ value for the user-selected install location of the executable file.
  • CLSID: If your extension starts a COM server, add a REG_SZ value that contains the CLSID of your extension.
  • Policy: A DWORD value that indicates how protected mode should start the broker. The following table describes the supported values and their meanings.
ValueResult
3Protected mode silently starts the broker as a medium integrity process.
2Protected mode prompts the user for permission to start the process. If permission is granted, the process is started as a medium integrity process.
1Protected mode silently starts the broker as a low integrity process.
0Protected mode prevents the process from starting.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You will have to add the GUIDs as follows:
  • Add this GUID under the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet Explorer \Low Rights\ElevationPolicy

  • Create a similar registry entry under one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InternetExplorer\Low Rights\ElevationPolicy

    HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\Low Rights\ElevationPolicy

Create the custom .adm file

To create the custom .adm file to include this policy, follow these steps:
  1. Define a list of the applications for which you want to configure the elevation policy. Decide which elevation policy that you want for each of them. Use values 0-3 from the table that was described earlier in this article.
  2. Open a text editor such as Notepad and copy the following template into the Notepad file.

    Note The values represented by <APPNAME1>, <APPPATH1>, <CLSID1>, and <POLICY1> in this code and other code examples in this article, are placeholders for the application name, its path, the CLSID, and policy that has to be applied.
    CLASS USER
CATEGORY !!WindowsComponents
	CATEGORY !!InternetExplorer
		POLICY !!ConfigureElevationPolicy
			#if version >= 4
			SUPPORTED !!SUPPORTED_IE7
			#endif
			KEYNAME "Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy"
			ACTIONLISTON
				KEYNAME "Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>"
				VALUENAME AppName       VALUE "<APPNAME1>"	                      
				VALUENAME AppPath       VALUE "<APPPATH1>"                                                                                     
				VALUENAME CLSID         VALUE "<CLSID1>"
				VALUENAME Policy        VALUE NUMERIC "<POLICY1>"
			END ACTIONLISTON
		END POLICY
	END CATEGORY
END CATEGORY

CLASS MACHINE
CATEGORY !!WindowsComponents
	CATEGORY !!InternetExplorer
		<POLICY ... END POLICY will be exactly same as that under class user>
   	END CATEGORY
END CATEGORY


[strings]
SUPPORTED_IE7="At least Internet Explorer 7.0"
WindowsComponents="Windows Components"
InternetExplorer="Internet Explorer"
ConfigureElevationPolicy="Enable customizing the elevation policy for Protected Mode"

    Create the .admx and .adml files

    To create the .admx and .adml files, use the following template instead of creating custom .adm template files. To populate this template with real values for . adm files, you can also follow step 3. Repeat the block of code between <enabledList> and </enabledList> for other applications.

    Create the ElevationPolicy.admx file
    <?xml version="1.0" encoding="utf-8"?>
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="0.9" schemaVersion="0.9" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="ElevationPolicy" namespace="Microsoft.Policies.ElevationPolicy" />
    <using prefix="inetres" namespace="Microsoft.Policies.InternetExplorer" />
  </policyNamespaces>
  <resources minRequiredRevision="0.9" />
  <policies>
      <policy name="ConfigureElevationPolicy_1" class="User" displayName="$(string.ConfigureElevationPolicy)" key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy">
      	  <parentCategory ref="inetres:InternetExplorer" />
          <enabledList>
             <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="AppName">
               <value>
                 <string><APPNAME1></string>
               </value>
             </item>
             <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="AppPath">
               <value>
                  <string><APPPATH1></string>
               </value>	
             </item>	
             <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="CLSID">
               <value>
                 <string><CLSID1></string>
               </value>
             </item>
             <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="Policy">
               <value>
                 <decimal value="<POLICY1>" />
               </value>
             </item>
           </enabledList>
      </policy>
      <policy name="ConfigureElevationPolicy_2" class="Machine" displayName="$(string.ConfigureElevationPolicy)" key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy">
          <parentCategory ref="inetres:InternetExplorer" />
          <enabledList> <same as user policy above> </enabledList> 
      </policy> 
  </policies>
</policyDefinitions>

    Create the ElevationPolicy.adml file

    <?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="0.9" schemaVersion="0.9" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
  <displayName>enter display name here</displayName>
  <description>enter description here</description>
  <resources>
    <stringTable>
      <string id="ConfigureElevationPolicy">Enable customizing the elevation policy for Protected Mode</string>
    </stringTable>
  </resources>
</policyDefinitionResources>

    Note You should put the .admx file under <%windir%>\policydefinitions and the .adml file under <%windir%>\policydefinitions\<%lang-dir%>. Run gpedit.msc to verify the results.
  3. Populate the policy template with the appropriate values. To do this, follow these steps.
    1. Generate a new GUID and replace <GUID1> in the code example with the new GUID.
    2. For the first application that you selected, write the executable name instead of <APPNAME1> and the path of the executable at <APPPATH1>. If your extension starts a COM server, add the CLSID of your extension at <CLSID>. Write the elevation policy number 0-3 for the application at <POLICY1>.
    3. Replicate the block of code between <enabledList> and </enabledList> for all the other applications that you selected, and then repeat steps 3a and step 3b to populate those blocks.
    4. Copy the policy that was created in step 3 under the CLASS MACHINE entry in the code.
  4. Save the file as an .adm file. For example, save it as ElevationPolicy.adm.
  5. To verify the results, do the following:
    1. Open Group Policy Object Editor.
    2. Locate Computer Configuration, and then expand Administrative Templates.
    3. Right-click Administrative Templates, and then click Add/Remove Templates. In the dialog box, click Add to add the ElevationPolicy.adm file that you created in step 4.
      Note The .admx files or .adml files must be put under <%windir%>\policydefinitons\. They cannot be added later by right-clicking on Group Policy Object Editor.
    4. Locate Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Internet Explorer.
    5. In the right panel, search for the new policy "Enable customizing the elevation policy for Protected Mode" and enable this policy.
    6. Examine the registry to verify that the desired registry entry is populated under the following subkey:

      HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy

      .
    7. Repeat step 5c for the User Configuration. Examine the registry to verify that the desired registry entry is populated under the following subkey:

      HKEY_CURRENT_USER\Software\policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy

Note Steps 3d, 4, and 5b are only for .adm files.

REFERENCES

For more information, visit the following Microsoft TechNet Web sites:

http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx

http://www.microsoft.com/technet/windowsvista/library/90c3c5f5-b756-49b1-bfd6-a5da93305bbc.mspx

http://www.microsoft.com/technet/windowsvista/library/1494d791-72e1-484b-a67a-22f66fbf9d17.mspx

Modification Type:MajorLast Reviewed:5/19/2006
Keywords:kbhowto kbinfo KB918239 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.