Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created

Ever wondered what lies beneath the covers of Protected Mode Internet Explorer? Short answer, long explanation: mandatory integrity control (MIC).

Recap: Mandatory Integrity Control

During the development of Vista the developers at Microsoft felt that the traditional ACL-based mechanism to control access to system resources was not enough. The ACL model grants all processes run by a user specific permissions on system resources like files and registry keys. While this is a powerful thing and well-suited for “normal” applications, programs like Internet Explorer are under much heavier attack by malware than, say, your average text editor. Once an IE process has been corrupted by exploiting a security hole, the attacking software can write to any location on the system the currently logged on user has access to. Not good.

Mandatory integrity control adds another layer of security. In a nutshell, it works like this: each securable object has a label that puts it into one of three categories: low, medium or high security. Each process has a complementary label marking it as untrustworthy, normal or trustworthy. Normal processes can write to objects with the levels medium or low. Untrustworthy processes can only write to low security objects.

Sandboxing IE

Using mandatory integrity control, Microsoft put Internet Explorer in a kind of sandbox. By default, IE runs in protected mode with a low integrity level (IL). As a low IL process, IE can only write to a handful of locations that have been specifically marked with an IL of low. Here is a list of the locations IE in protected mode can write to:

  • %USERPROFILE%\AppData\LocalLow
  • %USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low
  • %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
  • %USERPROFILE%\AppData\Local\Temp\Low
  • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies\Low

Note: The favorites folder is shared between protected mode and “normal” IE processes.

Creating the Sandbox

Who creates the low integrity folders for IE? They are, after all, marked with a special label that normal folders lack. IE cannot very well create them itself – that would resemble Baron Münchhausen’s trick of getting himself out of the mud by pulling on his hairs.

Well, protected mode IE, as a low IL process, cannot create folders in medium integrity locations – but “normal” IE can. Thus, the following happens when you start protected mode IE:

  1. IE starts as a medium integrity process.
  2. “Medium” IE checks for the existence of the “low” versions of its folders. If necessary, it creates them.
  3. “Medium” IE proceeds to check for the integrity level of its low level folders. If necessary, it sets their IL to low.
  4. “Medium” IE then launches another instance of itself – but this time as a low IL process.
  5. Et voilà – protected mode IE finds its environment correctly configured.

References

Mark Russinovich – Inside Windows Vista User Account Control
MSDN – Understanding and Working in Protected Mode Internet Explorer

,

4 Responses to Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created

  1. Timothy Chung October 7, 2009 at 01:48 #

    No matter how hard I have tried, I cannot get access to Internet Explorer Protected Mode. Please help. Thank you very much.

    Timothy Chung

  2. Thilo April 30, 2012 at 13:25 #

    It seems that, if we’re using Roaming Profiles with redirected APPDATA, the Low-folders are not recreated (after Logon) – and so printing of “Internet Zone” websites isn’t working if Protected Mode is on. We’re deleting local profiles after Logoff.

  3. Thilo April 30, 2012 at 14:37 #

    It’s not this problem. We’re on Windows 7 Sp1. But rather it’s this problem: http://support.microsoft.com/kb/973479.
    Solution from MS will be: create %temp%\low folder (and set integrity level) during logon script.

Leave a Reply