Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to write custom .adm and .admx administrative template files to provide an elevation policy for protected mode in Internet Explorer 7.0


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows registry

↑ Back to the top


Summary

In Windows Vista, securable objects automatically inherit the integrity level of the process that created them. Therefore, files or registry keys have a low integrity when they are created in protected mode. This means that a low integrity process can obtain write permission to the objects it creates. However, a low integrity process cannot gain write permission to medium or to high integrity folders or files in the user's profile.

By default, when Microsoft Internet Explorer 7.0 runs in protected mode, the extensions cannot access medium integrity or high integrity objects. This provides the best protection against malicious software attacks. When an extension requires access to higher integrity objects, the default Internet Explorer 7.0 behavior is to prompt the user for elevation through a dialog box. If the user confirms the elevation, this creates a broker process with a higher integrity level. This broker process accesses the higher integrity object on behalf on Internet Explorer 7.0.

You can use the registry to override this default behavior so that the user is not prompted for elevation through a dialog box. This article describes how administrators can use .adm or .admx files to add the policy, "Enable customizing the elevation policy for Protected Mode," to enforce their desired elevation policy behavior for different applications.

↑ Back to the top


Introduction

Elevation policy registry organization


You can create a broker GUID with the following values and change the default elevation policy:
  • AppName: A REG_SZ value for the executable file name.
  • AppPath: A REG_SZ value for the user-selected install location of the executable file.
  • CLSID: If your extension starts a COM server, add a REG_SZ value that contains the CLSID of your extension.
  • Policy: A DWORD value that indicates how protected mode should start the broker. The following table describes the supported values and their meanings.
Collapse this tableExpand this table
ValueResult
3Protected mode silently starts the broker as a medium integrity process.
2Protected mode prompts the user for permission to start the process. If permission is granted, the process is started as a medium integrity process.
1Protected mode silently starts the broker as a low integrity process.
0Protected mode prevents the process from starting.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You will have to add the GUIDs as follows:
  • Add this GUID under the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Internet Explorer \Low Rights\ElevationPolicy
  • Create a similar registry entry under one of the following registry subkeys:
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InternetExplorer\Low Rights\ElevationPolicy
    HKEY_CURRENT_USER\Software\Policies\Microsoft\InternetExplorer\Low Rights\ElevationPolicy
Create the custom .adm file

To create the custom .adm file to include this policy, follow these steps:
  1. Define a list of the applications for which you want to configure the elevation policy. Decide which elevation policy that you want for each of them. Use values 0�3 from the table that was described earlier in this article.
  2. Open a text editor such as Notepad and copy the following template into the Notepad file.

    Note The values represented by <APPNAME1>, <APPPATH1>, <CLSID1>, and <POLICY1> in this code and other code examples in this article, are placeholders for the application name, its path, the CLSID, and policy that has to be applied.
    CLASS USER
    CATEGORY !!WindowsComponents
    	CATEGORY !!InternetExplorer
    		POLICY !!ConfigureElevationPolicy
    			#if version >= 4
    			SUPPORTED !!SUPPORTED_IE7
    			#endif
    			KEYNAME "Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy"
    			ACTIONLISTON
    				KEYNAME "Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>"
    				VALUENAME AppName       VALUE "<APPNAME1>"	                      
    				VALUENAME AppPath       VALUE "<APPPATH1>"                                                                                     
    				VALUENAME CLSID         VALUE "<CLSID1>"
    				VALUENAME Policy        VALUE NUMERIC "<POLICY1>"
    			END ACTIONLISTON
    		END POLICY
    	END CATEGORY
    END CATEGORY
    
    CLASS MACHINE
    CATEGORY !!WindowsComponents
    	CATEGORY !!InternetExplorer
    		<POLICY ... END POLICY will be exactly same as that under class user>
       	END CATEGORY
    END CATEGORY
    
    
    [strings]
    SUPPORTED_IE7="At least Internet Explorer 7.0"
    WindowsComponents="Windows Components"
    InternetExplorer="Internet Explorer"
    ConfigureElevationPolicy="Enable customizing the elevation policy for Protected Mode"

    Create the .admx and .adml files

    To create the .admx and .adml files, use the following template instead of creating custom .adm template files. To populate this template with real values for . adm files, you can also follow step 3. Repeat the block of code between <enabledList> and </enabledList> for other applications.

    Create the ElevationPolicy.admx file
    <?xml version="1.0" encoding="utf-8"?>
    <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
      <policyNamespaces>
        <target prefix="ElevationPolicy" namespace="Microsoft.Policies.ElevationPolicy" />
        <using prefix="inetres" namespace="Microsoft.Policies.InternetExplorer" />
      </policyNamespaces>
      <resources minRequiredRevision="1.0" />
      <policies>
          <policy name="ConfigureElevationPolicy_1" class="User" displayName="$(string.ConfigureElevationPolicy)" key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy">
          	  <parentCategory ref="inetres:InternetExplorer" />
          	  <supportedOn ref="inetres:SUPPORTED_IE7Vista"/>
              <enabledList>
                 <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="AppName">
                   <value>
                     <string><APPNAME1></string>
                   </value>
                 </item>
                 <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="AppPath">
                   <value>
                      <string><APPPATH1></string>
                   </value>	
                 </item>	
                 <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="CLSID">
                   <value>
                     <string><CLSID1></string>
                   </value>
                 </item>
                 <item key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>" valueName="Policy">
                   <value>
                     <decimal value="<POLICY1>" />
                   </value>
                 </item>
               </enabledList>
          </policy>
          <policy name="ConfigureElevationPolicy_2" class="Machine" displayName="$(string.ConfigureElevationPolicy)" key="Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy">
              <parentCategory ref="inetres:InternetExplorer" />
              <supportedOn ref="inetres:SUPPORTED_IE7Vista"/>
              <enabledList> <same as user policy above> </enabledList> 
          </policy> 
      </policies>
    </policyDefinitions>

    Create the ElevationPolicy.adml file

    <?xml version="1.0" encoding="utf-8"?>
    <policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
      <displayName>enter display name here</displayName>
      <description>enter description here</description>
      <resources>
        <stringTable>
          <string id="ConfigureElevationPolicy">Enable customizing the elevation policy for Protected Mode</string>
        </stringTable>
      </resources>
    </policyDefinitionResources>

    Note You should put the .admx file under <%windir%>\policydefinitions and the .adml file under <%windir%>\policydefinitions\<%lang-dir%>. Run gpedit.msc to verify the results.
  3. Populate the policy template with the appropriate values. To do this, follow these steps.
    1. Generate a new GUID and replace <GUID1> in the code example with the new GUID.
    2. For the first application that you selected, write the executable name instead of <APPNAME1> and the path of the executable at <APPPATH1>. If your extension starts a COM server, add the CLSID of your extension at <CLSID>. Write the elevation policy number 0-3 for the application at <POLICY1>.
    3. Replicate the block of code between <enabledList> and </enabledList> for all the other applications that you selected, and then repeat steps 3a and step 3b to populate those blocks.
    4. Copy the policy that was created in step 3 under the CLASS MACHINE entry in the code.
  4. Save the file as an .adm file. For example, save it as ElevationPolicy.adm.
  5. To verify the results, do the following:
    1. Open Group Policy Object Editor.
    2. Locate Computer Configuration, and then expand Administrative Templates.
    3. Right-click Administrative Templates, and then click Add/Remove Templates. In the dialog box, click Add to add the ElevationPolicy.adm file that you created in step 4.
      Note The .admx files or .adml files must be put under <%windir%>\policydefinitons\. They cannot be added later by right-clicking on Group Policy Object Editor.
    4. Locate Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Internet Explorer.
    5. In the right panel, search for the new policy "Enable customizing the elevation policy for Protected Mode" and enable this policy.
    6. Examine the registry to verify that the desired registry entry is populated under the following subkey:
      HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
      .
    7. Repeat step 5c for the User Configuration. Examine the registry to verify that the desired registry entry is populated under the following subkey:
      HKEY_CURRENT_USER\Software\policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
Note Steps 3d, 4, and 5b are only for .adm files.

↑ Back to the top


Keywords: KB918239, kbinfo, kbhowto

↑ Back to the top

Article Info
Article ID : 918239
Revision : 8
Created on : 10/27/2007
Published on : 10/27/2007
Exists online : False
Views : 506