Vista - Protected Mode and Signed ActiveX Plugins

With Protected Mode enabled, our signed plugins no longer operate as
they should due to limitations on where they can write files, etc.

Is there any way to get around this programmatically, without the
user
having to disable Protected Mode manually?

I must admit that I appreciate Microsoft's continued efforts
regarding
security, but the entire point of having signed plugins was so that
the user could explicitly grant trust to the plugin. Unsigned plugins
were not allowed by default in IE6. I'm not sure who thought that was
inadequate.

- Shawn

Starting on page 70:
http://download.microsoft.com/downlo...UACDevReqs.doc


<shalayka@xxxxxx> wrote in message
news:a36f3eb4-8b01-46e2-8b95-fc0c77915dcb@xxxxxx

Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20*am, "Mark" <jmhonz...@xxxxxx> wrote:

I will assume the ActiveX installation troubleshooting on page 78-82 didn't
help either.
Which would have led you here:
http://msdn2.microsoft.com/en-us/library/aa370813.aspx
Pay special attention to finding Vista folder paths.

Additionally, ActiveX needs to use Brokered Services for elevated tasks:
http://search.msdn.microsoft.com/sea...=00&lang=en-us
(I don't know which of these really apply, but there is a generic theme
related to your problem.)

Or, possibly:
In Vista, with UAC enabled, IE will refuse to run any code not packaged in
the CAB file.
If the hook statement contains a parameter with path, you need to put three
double quotes around the EXE.
For example:

[preInstall]
run="""%EXTRACT_DIR%\PrepareInstall.exe""" %OBJECT_DIR%
(This will work in XP and 2000 also.)



<shalayka@xxxxxx> wrote in message
news:baf74454-cb38-44b5-9f69-e2d630241c9a@xxxxxx
Hi Mark,

Thank you for this document.

Neither the Visual Studio 2008 automatic manifest insertion via Linker
options, nor a manually inserted manifest resource causes a UAC popup
to occur (as hoped). I have tried the three obvious parameters:
asInvoker, highestAvailable, requireAdministrator.

- Shawn




On Jan 30, 7:20 am, "Mark" <jmhonz...@xxxxxx> wrote:70:http://download.microsoft.com/downlo...073-42f9-932b-...

Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39*pm, "Mark" <jmhonz...@xxxxxx> wrote:

"I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem."

This issue you are experiencing is not a matter of being signed, or not
signed. It's Vista and IE7 permission levels to run elevated tasks from
within IE7 while in protected mode. All ActiveX is given the lowest level of
access until installed properly while in Protected Mode. (Hence, it works
when not in protected mode.) This lowest level means any functions called
requiring higher elevation fail unless the user acknowledges the task as
appropriate. The user will not receive a prompt unless the installation
follows the required protocols. Without the prompt, this simply fails to
install.

So, there are two areas of concern:
First, assuming the user gets a prompt, is the "silent failure" caused when
the user may have moved their Documents folder away from the default. As a
result, the XP/2000 commands may not work in Vista and attempts to write to
the Documents folder may produce Error 1320 (if ran as administrator), or no
errors posted (if run as user):
http://msdn2.microsoft.com/en-us/lib...06(VS.85).aspx

Second, creating a folder in a user's profile (Documents folder) is an
elevated task (as is registering the DLL), so I mentioned brokering
services. Please see the following link on this functionality while in
protected mode:
http://msdn2.microsoft.com/en-us/library/bb250462.aspx

I suspect, the second article is closest to your solution. (I only mentioned
the external executable because on occassion, DLLs have been known to seek
external functions.)

Using the following search on MSDN, I found 147 hits: (broker activex dll
vista signed)
http://search.msdn.microsoft.com/sea...20dll%20signed

The links provided in the other messages give more information on this path.

Good luck,
(I'll let someone else chime in since I'm running into a dead end for you.)

Mark




<shalayka@xxxxxx> wrote in message
news:659417c8-aad2-4fde-9184-66e607080944@xxxxxx
Hi Mark,

This is a single DLL plugin, inside of a signed CAB file. No external
executables are called, nor would I want to. If I ended up having to
call an executable, then there would be no point to using the DLL in
the first place.

I try creating a folder in the user's documents folder, but it fails.
Disabling protected mode fixes this problem. So it appears the
problem, really, is protected mode completely ruins the benefit of
using signed plugins.

I'm not sure what ActiveX brokering is. Google comes up with 0 hits
that actually relate ActiveX DLLs and brokering.

Thank you though for your help.

- Shawn





On Jan 30, 2:39 pm, "Mark" <jmhonz...@xxxxxx> wrote:didn'there:http://msdn2.microsoft.com/en-us/library/aa370813.aspxtasks:http://search.msdn.microsoft.com/sea...ery=broker+act.
...threeStarting on page70:http://download.microsoft.com/downlo...073-42f9-932b-...

I want to thank Shawn for this helpful info! - highlighted in red.
This small change allows my cab file to run on Vista with the UAC on.
Question - what does simply addding some quotes in the .inf file do?

Thanks again