How to Access AppData in IE Protected Mode (from a Managed BHO)

Asked 2/1, 2010 at 20:39 Answered 5/4, 2012 at 21:25

I am writing an IE Extension (BHO) in C#. When run in protected mode (IE's new UAC-compliant mode which forces all extensions to run at low-integrity), it fails because it cannot access user.config in the appdata folder.

Is there some way to mark files are readable by lower-integrity processes?

Failing that, is there some way to force the BHO to run at medium-level integrity?

Failing that, is there some way to create a low-integrity symlink in the low-integrity folders which points to a medium-integrity file in AppData?

Failing that, is there some way to force the application to use a user.config file in the LocalLow folder? How do I get the path for this folder in .net (it's not listed under Environment.SpecialFolder)? Will I be able to fall back with users running XP or who turn protected mode off, without losing all their user.config data?

Aggravation answered 2/1, 2010 at 20:39 Comment(1)

Writing Internet Explorer extensions in Managed Code is strongly discouraged for performance and reliability reasons. – Alvin 20/8, 2013 at 18:1

There's one approach that is not especially elegant but you can start another (broker)process with medium level integrity which can do the 'dirty work' and use IPC to communicate with it. To make your life easier I would suggest you to use sockets for communication because they don't require security check which can be tricky when you have communication between processes with different integrity levels.

In order to skip UAC warning when you spawn new process you can modify BHO registration script and add few registry values that will inform IE to silently elevate new process to medium level.

You can find more information here: http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx#wpm_elebp

Dutra answered 18/1, 2010 at 23:28 Comment(3)

lovely, yet another MS hack to allow a low trust app to start a higher trust app. – Presentiment 8/3, 2010 at 15:2

@David: Except you needed High Trust to install the BHO in the first place. – Alveolate 21/4, 2010 at 14:50

As the owner of this area for several years, I can assure you that this is generally the correct answer, and it should be accepted. Rather than sockets, you should probably use ACL'd named pipes, which work even in the face of AppContainer network restrictions introduced in IE10+. – Alvin 20/8, 2013 at 17:59

I would start with the Protected Mode Internet Explorer Reference.

Automaton answered 26/3, 2010 at 18:5 Comment(1)

The user.config is in a high-integrity folder, this only gives you access to low-integrity folders. – Aggravation 27/3, 2010 at 2:37

I suggest you to write your own SettingsProvider that saves files in System.IO.IsolatedStorage.

Marquise answered 8/1, 2010 at 19:31 Comment(0)

You get a one-shot privileged access during RegisterBHO. After that you are in protected mode.

If you need to change long term storage during the runtime of the BHO, I have found that the registry is the best place. Your changes will be only visible to you, but they will persist.

Armidaarmiger answered 5/4, 2012 at 21:25 Comment(0)

Recommended topics

Hot tags