Guest shalayka@gmail.com Posted January 29, 2008 Posted January 29, 2008 With Protected Mode enabled, our signed plugins no longer operate as they should due to limitations on where they can write files, etc. Is there any way to get around this programmatically, without the user having to disable Protected Mode manually? I must admit that I appreciate Microsoft's continued efforts regarding security, but the entire point of having signed plugins was so that the user could explicitly grant trust to the plugin. Unsigned plugins were not allowed by default in IE6. I'm not sure who thought that was inadequate. - Shawn Quote
Guest Mark Posted January 30, 2008 Posted January 30, 2008 Starting on page 70: http://download.microsoft.com/download/5/6...aUACDevReqs.doc <shalayka@gmail.com> wrote in message news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...<span style="color:blue"> > With Protected Mode enabled, our signed plugins no longer operate as > they should due to limitations on where they can write files, etc. > > Is there any way to get around this programmatically, without the > user > having to disable Protected Mode manually? > > I must admit that I appreciate Microsoft's continued efforts > regarding > security, but the entire point of having signed plugins was so that > the user could explicitly grant trust to the plugin. Unsigned plugins > were not allowed by default in IE6. I'm not sure who thought that was > inadequate. > > - Shawn</span> Quote
Guest shalayka@gmail.com Posted January 30, 2008 Posted January 30, 2008 Hi Mark, Thank you for this document. Neither the Visual Studio 2008 automatic manifest insertion via Linker options, nor a manually inserted manifest resource causes a UAC popup to occur (as hoped). I have tried the three obvious parameters: asInvoker, highestAvailable, requireAdministrator. - Shawn On Jan 30, 7:20Â am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:<span style="color:blue"> > Starting on page 70:http://download.microsoft.com/download/5/6...e073-42f9-932b-... > > <shala...@gmail.com> wrote in message > > news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com... ><span style="color:green"> > > With Protected Mode enabled, our signed plugins no longer operate as > > they should due to limitations on where they can write files, etc.</span> ><span style="color:green"> > > Is there any way to get around this programmatically, without the > > user > > having to disable Protected Mode manually?</span> ><span style="color:green"> > > I must admit that I appreciate Microsoft's continued efforts > > regarding > > security, but the entire point of having signed plugins was so that > > the user could explicitly grant trust to the plugin. Unsigned plugins > > were not allowed by default in IE6. I'm not sure who thought that was > > inadequate.</span> ><span style="color:green"> > > - Shawn</span></span> Quote
Guest Mark Posted January 30, 2008 Posted January 30, 2008 I will assume the ActiveX installation troubleshooting on page 78-82 didn't help either. Which would have led you here: http://msdn2.microsoft.com/en-us/library/aa370813.aspx Pay special attention to finding Vista folder paths. Additionally, ActiveX needs to use Brokered Services for elevated tasks: http://search.msdn.microsoft.com/search/De...t=00&lang=en-us (I don't know which of these really apply, but there is a generic theme related to your problem.) Or, possibly: In Vista, with UAC enabled, IE will refuse to run any code not packaged in the CAB file. If the hook statement contains a parameter with path, you need to put three double quotes around the EXE. For example: [preInstall] run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR% (This will work in XP and 2000 also.) <shalayka@gmail.com> wrote in message news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com... Hi Mark, Thank you for this document. Neither the Visual Studio 2008 automatic manifest insertion via Linker options, nor a manually inserted manifest resource causes a UAC popup to occur (as hoped). I have tried the three obvious parameters: asInvoker, highestAvailable, requireAdministrator. - Shawn On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:<span style="color:blue"> > Starting on page</span> 70:http://download.microsoft.com/download/5/6...e073-42f9-932b-...<span style="color:blue"> > > <shala...@gmail.com> wrote in message > > news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com... ><span style="color:green"> > > With Protected Mode enabled, our signed plugins no longer operate as > > they should due to limitations on where they can write files, etc.</span> ><span style="color:green"> > > Is there any way to get around this programmatically, without the > > user > > having to disable Protected Mode manually?</span> ><span style="color:green"> > > I must admit that I appreciate Microsoft's continued efforts > > regarding > > security, but the entire point of having signed plugins was so that > > the user could explicitly grant trust to the plugin. Unsigned plugins > > were not allowed by default in IE6. I'm not sure who thought that was > > inadequate.</span> ><span style="color:green"> > > - Shawn</span></span> Quote
Guest shalayka@gmail.com Posted January 31, 2008 Posted January 31, 2008 Hi Mark, This is a single DLL plugin, inside of a signed CAB file. No external executables are called, nor would I want to. If I ended up having to call an executable, then there would be no point to using the DLL in the first place. I try creating a folder in the user's documents folder, but it fails. Disabling protected mode fixes this problem. So it appears the problem, really, is protected mode completely ruins the benefit of using signed plugins. I'm not sure what ActiveX brokering is. Google comes up with 0 hits that actually relate ActiveX DLLs and brokering. Thank you though for your help. - Shawn On Jan 30, 2:39Â pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:<span style="color:blue"> > I will assume the ActiveX installation troubleshooting on page 78-82 didn't > help either. > Which would have led you here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx > Pay special attention to finding Vista folder paths. > > Additionally, ActiveX needs to use Brokered Services for elevated tasks:http://search.msdn.microsoft.com/search/De...uery=broker+act... > (I don't know which of these really apply, but there is a generic theme > related to your problem.) > > Or, possibly: > In Vista, with UAC enabled, IE will refuse to run any code not packaged in > the CAB file. > If the hook statement contains a parameter with path, you need to put three > double quotes around the EXE. > For example: > > Â [preInstall] > Â Â run="""%EXTRACT_DIR%PrepareInstall.exe""" %OBJECT_DIR% > (This will work in XP and 2000 also.) > > <shala...@gmail.com> wrote in message > > news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com... > Hi Mark, > > Thank you for this document. > > Neither the Visual Studio 2008 automatic manifest insertion via Linker > options, nor a manually inserted manifest resource causes a UAC popup > to occur (as hoped). I have tried the three obvious parameters: > asInvoker, highestAvailable, requireAdministrator. > > - Shawn > > On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:> Starting on page > > 70:http://download.microsoft.com/download/5/6...e073-42f9-932b-.... > > ><span style="color:green"> > > <shala...@gmail.com> wrote in message</span> ><span style="color:green"> > >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...</span> ><span style="color:green"><span style="color:darkred"> > > > With Protected Mode enabled, our signed plugins no longer operate as > > > they should due to limitations on where they can write files, etc.</span></span> ><span style="color:green"><span style="color:darkred"> > > > Is there any way to get around this programmatically, without the > > > user > > > having to disable Protected Mode manually?</span></span> ><span style="color:green"><span style="color:darkred"> > > > I must admit that I appreciate Microsoft's continued efforts > > > regarding > > > security, but the entire point of having signed plugins was so that > > > the user could explicitly grant trust to the plugin. Unsigned plugins > > > were not allowed by default in IE6. I'm not sure who thought that was > > > inadequate.</span></span> ><span style="color:green"><span style="color:darkred"> > > > - Shawn</span></span></span> Quote
Guest Mark Posted January 31, 2008 Posted January 31, 2008 "I try creating a folder in the user's documents folder, but it fails. Disabling protected mode fixes this problem." This issue you are experiencing is not a matter of being signed, or not signed. It's Vista and IE7 permission levels to run elevated tasks from within IE7 while in protected mode. All ActiveX is given the lowest level of access until installed properly while in Protected Mode. (Hence, it works when not in protected mode.) This lowest level means any functions called requiring higher elevation fail unless the user acknowledges the task as appropriate. The user will not receive a prompt unless the installation follows the required protocols. Without the prompt, this simply fails to install. So, there are two areas of concern: First, assuming the user gets a prompt, is the "silent failure" caused when the user may have moved their Documents folder away from the default. As a result, the XP/2000 commands may not work in Vista and attempts to write to the Documents folder may produce Error 1320 (if ran as administrator), or no errors posted (if run as user): http://msdn2.microsoft.com/en-us/library/a...806(VS.85).aspx Second, creating a folder in a user's profile (Documents folder) is an elevated task (as is registering the DLL), so I mentioned brokering services. Please see the following link on this functionality while in protected mode: http://msdn2.microsoft.com/en-us/library/bb250462.aspx I suspect, the second article is closest to your solution. (I only mentioned the external executable because on occassion, DLLs have been known to seek external functions.) Using the following search on MSDN, I found 147 hits: (broker activex dll vista signed) http://search.msdn.microsoft.com/search/De...%20dll%20signed The links provided in the other messages give more information on this path. Good luck, (I'll let someone else chime in since I'm running into a dead end for you.) Mark <shalayka@gmail.com> wrote in message news:659417c8-aad2-4fde-9184-66e607080944@j78g2000hsd.googlegroups.com... Hi Mark, This is a single DLL plugin, inside of a signed CAB file. No external executables are called, nor would I want to. If I ended up having to call an executable, then there would be no point to using the DLL in the first place. I try creating a folder in the user's documents folder, but it fails. Disabling protected mode fixes this problem. So it appears the problem, really, is protected mode completely ruins the benefit of using signed plugins. I'm not sure what ActiveX brokering is. Google comes up with 0 hits that actually relate ActiveX DLLs and brokering. Thank you though for your help. - Shawn On Jan 30, 2:39 pm, "Mark" <jmhonz...@nospam.insightbb.com> wrote:<span style="color:blue"> > I will assume the ActiveX installation troubleshooting on page 78-82</span> didn't<span style="color:blue"> > help either. > Which would have led you</span> here:http://msdn2.microsoft.com/en-us/library/aa370813.aspx<span style="color:blue"> > Pay special attention to finding Vista folder paths. > > Additionally, ActiveX needs to use Brokered Services for elevated</span> tasks:http://search.msdn.microsoft.com/search/De...uery=broker+act. ...<span style="color:blue"> > (I don't know which of these really apply, but there is a generic theme > related to your problem.) > > Or, possibly: > In Vista, with UAC enabled, IE will refuse to run any code not packaged in > the CAB file. > If the hook statement contains a parameter with path, you need to put</span> three<span style="color:blue"> > double quotes around the EXE. > For example: > > [preInstall] > run="""%EXTRACT_DIR%PrepareInstall.exe""" %OBJECT_DIR% > (This will work in XP and 2000 also.) > > <shala...@gmail.com> wrote in message > > news:baf74454-cb38-44b5-9f69-e2d630241c9a@i72g2000hsd.googlegroups.com... > Hi Mark, > > Thank you for this document. > > Neither the Visual Studio 2008 automatic manifest insertion via Linker > options, nor a manually inserted manifest resource causes a UAC popup > to occur (as hoped). I have tried the three obvious parameters: > asInvoker, highestAvailable, requireAdministrator. > > - Shawn > > On Jan 30, 7:20 am, "Mark" <jmhonz...@nospam.insightbb.com> wrote:></span> Starting on page<span style="color:blue"> > ></span> 70:http://download.microsoft.com/download/5/6...e073-42f9-932b-...<span style="color:blue"> > > ><span style="color:green"> > > <shala...@gmail.com> wrote in message</span> ><span style="color:green"> > >news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@u10g2000prn.googlegroups.com...</span> ><span style="color:green"><span style="color:darkred"> > > > With Protected Mode enabled, our signed plugins no longer operate as > > > they should due to limitations on where they can write files, etc.</span></span> ><span style="color:green"><span style="color:darkred"> > > > Is there any way to get around this programmatically, without the > > > user > > > having to disable Protected Mode manually?</span></span> ><span style="color:green"><span style="color:darkred"> > > > I must admit that I appreciate Microsoft's continued efforts > > > regarding > > > security, but the entire point of having signed plugins was so that > > > the user could explicitly grant trust to the plugin. Unsigned plugins > > > were not allowed by default in IE6. I'm not sure who thought that was > > > inadequate.</span></span> ><span style="color:green"><span style="color:darkred"> > > > - Shawn</span></span></span> Quote
Guest RFaux Posted May 21, 2008 Posted May 21, 2008 Mark;591241 Wrote: <span style="color:blue"> > I will assume the ActiveX installation troubleshooting on page 78-82 > didn't > help either. > Which would have led you here: > 'Per-user Installations (Windows)' > (http://msdn2.microsoft.com/en-us/library/aa370813.aspx) > Pay special attention to finding Vista folder paths. > > Additionally, ActiveX needs to use Brokered Services for elevated > tasks: > 'MSDN Enhanced Search' > (http://search.msdn.microsoft.com/search/De...t=00&lang=en-us) > (I don't know which of these really apply, but there is a generic > theme > related to your problem.) > > Or, possibly: > In Vista, with UAC enabled, IE will refuse to run any code not packaged > in > the CAB file. > If the hook statement contains a parameter with path, you need to put > three > double quotes around the EXE. > For example: > > [preInstall] > run="""%EXTRACT_DIR%PrepareInstall.exe""" %OBJECT_DIR% > (This will work in XP and 2000 also.) > > > > <shalayka@xxxxxx> wrote in message > news:baf74454-cb38-44b5-9f69-e2d630241c9a@xxxxxx > Hi Mark, > > Thank you for this document. > > Neither the Visual Studio 2008 automatic manifest insertion via Linker > options, nor a manually inserted manifest resource causes a UAC popup > to occur (as hoped). I have tried the three obvious parameters: > asInvoker, highestAvailable, requireAdministrator. > > - Shawn > > > > > On Jan 30, 7:20 am, "Mark" <jmhonz...@xxxxxx> wrote: > 70:http://download.microsoft.com/download/5/6...e073-42f9-932b-...</span> I want to thank Shawn for this helpful info! - highlighted in red. This small change allows my cab file to run on Vista with the UAC on. Question - what does simply addding some quotes in the .inf file do? Thanks again style_emoticons/ -- RFaux Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.