Event 1037 - Protected Mode

  • Article
  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

Windows Internet Explorer 8 and Windows Internet Explorer 7 running on Windows Vista function at a lower integrity level to protect users from a variety of attacks. Protected Mode Windows Internet Explorer restricts websites from writing to the registry and file systems on the local computer. Internet Explorer logs events when write access has been denied and when virtualization to a different location occurs.

What Is It?

Windows Vista Protected Mode reduces the severity of threats to both Internet Explorer and extensions running in Internet Explorer, by eliminating the ability to install malicious code silently through software vulnerabilities. Protected Mode takes advantage of the User Interface Privilege Isolation (UIPI) to block interaction from Internet Explorer with higher integrity applications system resources.

Protected Mode is an important step forward in security for Internet Explorer. It can help protect users from attack by running an Internet Explorer process with greatly restricted privileges on the Windows Vista operating system. While Protected Mode does not protect against all forms of attack, it significantly reduces the ability of an attack to write, to alter, or to destroy data on the user's machine, or to install malicious code.

While most Internet Explorer security features will be available in Internet Explorer for Windows XP Service Pack 2 (SP2) or later, Protected Mode is only available on Windows Vista because it is based on security features new to Windows Vista.

  • User Account Control (UAC) makes it easy to run without Administrator privileges. When users run programs with limited user privileges, they are safer from attack than when they run with Administrator privileges because Windows can restrict the malicious code from carrying out damaging actions.
  • Integrity mechanism restrict write access to securable objects by lower integrity processes, much the same way that user account group membership restricts the rights of users to access sensitive system components.
  • UIPI prevents processes from sending selected Windows messages and other USER APIs to processes running with higher integrity.

The Windows Vista security infrastructure enables Protected Mode to provide Internet Explorer with the privileges needed to browse the Web while withholding privileges needed to silently install programs or to modify sensitive system data.

Understanding Windows Vista's Integrity Mechanism

Windows Vista uses integrity-level labels for processes and other securable objects, an addition to the access control security mechanism of Windows. The integrity level defines which Internet-facing programs are at higher risk for exploits because they download untrustworthy content from unknown sources. Running these at-risk programs with more restricted permissions or at a lower integrity level than other programs reduces the ability of an exploit to modify the system or harm user data files.

Protected Mode uses the Windows Vista integrity mechanism to run the Internet Explorer process at Low integrity level. The main features of the integrity level mechanism in Windows Vista are as follows:

  • Securable objects, like files and registry keys, have security descriptors that define the integrity level, or level of privilege required for write access to the object. This integrity level is defined with a new mandatory access control entry (ACE) in the system access control list (SACL) called a mandatory label. Objects without mandatory labels have an implied default integrity level of Medium.
  • Processes have an integrity level defined in the security access token. In Protected Mode, Internet Explorer Compatibility Test Tool has a Low integrity level, applications started from the Start menu have a Medium integrity level, and applications that require Administrator permissions run with a High integrity level.
  • Low integrity processes cannot gain write access to objects at a higher integrity level, even if the user's security identifier (SID) has write access in the discretionary access control list (DACL). Windows Vista performs the integrity-level checks before user access permission checks.

All files and registry keys on Windows Vista have a default integrity level of Medium. A Low integrity process, like Internet Explorer in Protected Mode, will receive access denied errors when it tries to modify existing files.

Some folders have a Low integrity mandatory label. A Low integrity level process can create and modify files in Low integrity folders. For example, the Temporary Internet Files folder contains a folder called Low, which is a Low integrity folder. Additionally, the Windows Vista integrity mechanism automatically assigns Low integrity mandatory labels to securable objects, files, or other objects created by Low integrity-level processes. By default, child processes started by a Low integrity process will also run with a Low integrity level.

The following table shows supported integrity access levels and the privileges they confer.

Integrity Access Level (IL) System Privileges
High Administrative. The process can install files to the Program Files folder and write to sensitive registry areas such as HKEY_LOCAL_MACHINE.
Medium User. The process can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER.
Low Not Trusted. The process can only write to Low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry registry key.

 

For additional Protected Mode information, see Understanding and Working in Protected Mode Internet Explorer.

When Is This Event Logged?

This event is logged when Internet Explorer or its extensions attempt to write to securable objects in Protected Mode (and access is denied).

Example

A complete example would be too complex to re-create in this document. But the key points can be demonstrated by describing portions of a complete example.

Let's say you have a Component Object Model (COM) component called FileManager and that this component exposes the following method through IDispatch:

  • CreateTextFile(path, content)

Path is a string containing the full path of the file you're creating (for instance, C:\Test.txt) and content is a string that is written to the new file. The function of the method is to create the specified file (overwriting if it exists) and then write the text in the content parameter to the new file.

Here's a code snippet from the C++ source code for CreateTextFile:

STDMETHODIMP CFileManager::CreateTextFile(
/*[in]*/ BSTR path, /*[in]*/ BSTR content)
{
    HRESULT hr = S_OK;

    // Create the file (overwrite if it already exists).
    HANDLE hFile = CreateFileW(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 
FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
        hr = E_FAIL;

    // Write the given contents to the file.
    . . .

    // Close the file.
    . . .

    return hr;
}

This component might be invoked from an HTML page that looks like this:

<html>
<head>
    <title>ProtectedMode sample</title>
</head>
<body>
    <object id="FileManager" classid="CLSID:10A7EA03-0A10-41B1-8EE2-01E67C51871F" 
        width="0" height="0">
    </object>
    <script language="javascript" type="text/javascript">
        function CreateTextFile(filepath, content)
        {
            FileManager.CreateTextFile(filepath, content);
        }
        
    </script>
    <div>
        <form id="CreateTextFile" action="">
            File Path:
            <input type="text" size="40" name="FilePath" value="c:\Test.txt" />
            Content: 
            <input type="text" size="25" name="Content" value="content" />
            <input type="button" value="Create Text File" 
                onclick="CreateTextFile(document.all['FilePath'].value, 
                document.all['Content'].value);" />
        </form>
    </div>
</body>
</html>

This page contains two text boxes and a button. The page allows the user to enter a path and content string. The button, when clicked, invokes the CreateTextFile method on the FileManager component.

If you launch this webpage in a browser with Protected Mode on and you try to write to a directory that you don't have access to, then the event is logged.

For example, let's say you're logged in as JohnSmith (a non privileged user) and you launch the webpage above. Let's also assume that Protected Mode is on. Now use the webpage to create the following file:

C:\Users\JohnSmith\Documents\test.txt

In this case the file would successfully be created (albeit in a virtualized directory since Protected Mode is on). And the Protected Mode event would not fire.

However, let's say you tried creating the following file:

C:\Test.txt

Normal users aren't allowed to write to C:\. In this case, the attempt to create the file fails (access denied). And the Protected Mode event is logged to the Internet Explorer Compatibility Test Tool.

Remediation

A user can configure Protected Mode, by using the Internet Explorer Internet Options dialog box.

To configure Protected Mode using the Internet Options dialog box:

  1. From the Internet Options dialog box, click the Security tab.
  2. Select a Web content zone, and then select or clear the Enable Protected Mode check box.
  3. Verify that Internet Explorer is running with Protected Mode on or off, by looking for Protected Mode: On/Off next to the Web content zone displayed in the Internet Explorer status bar.

You can also run Internet Explorer with administrator privileges in elevation mode to disable protected mode. To do this, right-click the Windows Internet Explorer icon or shortcut, then select Run as Administrator from the context menu. Click Allow in the User Account Control dialog box. You will then see Protected Mode: Off in the status bar.

An administrator will be able to configure Protected Mode, by using Group Policy and the URLACTION_LOWRIGHTS (0x00002500) URL Action Flags registry key. For more information, see URL Security Zones Overviews.

Debugging Using the Internet Explorer Compatibility Test Tool

You can use the Internet Explorer Compatibility Test Tool to debug Protected Mode issues. When Internet Explorer or its extensions attempt to write to securable objects in Protected Mode, the ACT generates an entry in the log file describing the operation and its results. The following list explains the possible values in the log entries:

  • ModuleName: Name of the file that started the process attempting to access securable objects.

  • VirtualizationAction: Results of the write operations, including one of the following values:

    • InterceptedWrite: Indicates that the Compatibility Layer intercepted the operation.
    • WriteIgnored: Indicates that Protected Mode ignored the operation because the attempting process is an elevated broker.
    • CreateVirtualCopy: Indicates that the Compatibility Layer made a copy of the object in a virtual location.
    • CreateNew: Indicates that the Compatibility Layer created a new object in a virtual location.
    • ObjectType: Specifies whether the object is a File or Registry setting.

  • APIName: Specifies the function attempting the operation, for example CreateFile or RegOpenKey.

  • ReqObjectPath: Location of the object the operation attempted to modify. This is blank for objects that do not have paths.

  • NewObjectPath: Specifies the object modified by the operation if the write operations succeed.

  • APIResult: Specifies the result returned by the API function attempting the write operation.

  • LastError: The last error received by an API function.

Internet Explorer Application Compatibility

Events 1030 through 1037