Microsoft KB Archive/918239

= How to write custom .adm and .admx administrative template files to provide an elevation policy for protected mode in Internet Explorer 7.0 =

Article ID: 918239

Article Last Modified on 10/27/2007

-

APPLIES TO


 * Windows Internet Explorer 7

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
''In Windows Vista, securable objects automatically inherit the integrity level of the process that created them. Therefore, files or registry keys have a low integrity when they are created in protected mode. This means that a low integrity process can obtain write permission to the objects it creates. However, a low integrity process cannot gain write permission to medium or to high integrity folders or files in the user's profile.

By default, when Microsoft Internet Explorer 7.0 runs in protected mode, the extensions cannot access medium integrity or high integrity objects. This provides the best protection against malicious software attacks. When an extension requires access to higher integrity objects, the default Internet Explorer 7.0 behavior is to prompt the user for elevation through a dialog box. If the user confirms the elevation, this creates a broker process with a higher integrity level. This broker process accesses the higher integrity object on behalf on Internet Explorer 7.0.

You can use the registry to override this default behavior so that the user is not prompted for elevation through a dialog box. This article describes how administrators can use .adm or .admx files to add the policy, &quot;Enable customizing the elevation policy for Protected Mode,&quot; to enforce their desired elevation policy behavior for different applications.''



Elevation policy registry organization
You can create a broker GUID with the following values and change the default elevation policy:
 * AppName: A REG_SZ value for the executable file name.
 * AppPath: A REG_SZ value for the user-selected install location of the executable file.
 * CLSID: If your extension starts a COM server, add a REG_SZ value that contains the CLSID of your extension.
 * Policy: A DWORD value that indicates how protected mode should start the broker. The following table describes the supported values and their meanings.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You will have to add the GUIDs as follows:  Add this GUID under the following registry subkey:

 Create a similar registry entry under one of the following registry subkeys:



Create the custom .adm file

To create the custom .adm file to include this policy, follow these steps:  Define a list of the applications for which you want to configure the elevation policy. Decide which elevation policy that you want for each of them. Use values 0–3 from the table that was described earlier in this article.  Open a text editor such as Notepad and copy the following template into the Notepad file.

Note The values represented by , , , and <POLICY1> in this code and other code examples in this article, are placeholders for the application name, its path, the CLSID, and policy that has to be applied.

CLASS USER CATEGORY !!WindowsComponents CATEGORY !!InternetExplorer POLICY !!ConfigureElevationPolicy #if version >= 4 SUPPORTED !!SUPPORTED_IE7 #endif KEYNAME &quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy&quot; ACTIONLISTON KEYNAME &quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>&quot; VALUENAME AppName      VALUE &quot;<APPNAME1>&quot; VALUENAME AppPath      VALUE &quot;<APPPATH1>&quot; VALUENAME CLSID        VALUE &quot;<CLSID1>&quot; VALUENAME Policy       VALUE NUMERIC &quot;<POLICY1>&quot; END ACTIONLISTON END POLICY END CATEGORY END CATEGORY

CLASS MACHINE CATEGORY !!WindowsComponents CATEGORY !!InternetExplorer <POLICY ... END POLICY will be exactly same as that under class user> END CATEGORY END CATEGORY

[strings] SUPPORTED_IE7=&quot;At least Internet Explorer 7.0&quot; WindowsComponents=&quot;Windows Components&quot; InternetExplorer=&quot;Internet Explorer&quot; ConfigureElevationPolicy=&quot;Enable customizing the elevation policy for Protected Mode&quot;

Create the .admx and .adml files

To create the .admx and .adml files, use the following template instead of creating custom .adm template files. To populate this template with real values for. adm files, you can also follow step 3. Repeat the block of code between <enabledList> and </enabledList> for other applications.

Create the ElevationPolicy.admx file

<?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <policyDefinitions xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; revision=&quot;1.0&quot; schemaVersion=&quot;1.0&quot; xmlns=&quot;http://www.microsoft.com/GroupPolicy/PolicyDefinitions&quot;> <policyNamespaces> <target prefix=&quot;ElevationPolicy&quot; namespace=&quot;Microsoft.Policies.ElevationPolicy&quot; /> <using prefix=&quot;inetres&quot; namespace=&quot;Microsoft.Policies.InternetExplorer&quot; /> </policyNamespaces> <resources minRequiredRevision=&quot;1.0&quot; /> <policy name=&quot;ConfigureElevationPolicy_1&quot; class=&quot;User&quot; displayName=&quot;$(string.ConfigureElevationPolicy)&quot; key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy&quot;> <parentCategory ref=&quot;inetres:InternetExplorer&quot; /> <supportedOn ref=&quot;inetres:SUPPORTED_IE7Vista&quot;/> <enabledList> <item key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>&quot; valueName=&quot;AppName&quot;> <APPNAME1> <item key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>&quot; valueName=&quot;AppPath&quot;> <APPPATH1> <item key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>&quot; valueName=&quot;CLSID&quot;> <CLSID1> <item key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\<GUID1>&quot; valueName=&quot;Policy&quot;> <decimal value=&quot;<POLICY1>&quot; /> </enabledList> <policy name=&quot;ConfigureElevationPolicy_2&quot; class=&quot;Machine&quot; displayName=&quot;$(string.ConfigureElevationPolicy)&quot; key=&quot;Software\Policies\Microsoft\Internet Explorer\Low Rights\ElevationPolicy&quot;> <parentCategory ref=&quot;inetres:InternetExplorer&quot; /> <supportedOn ref=&quot;inetres:SUPPORTED_IE7Vista&quot;/> <enabledList> <same as user policy above> </enabledList> </policyDefinitions>

Create the ElevationPolicy.adml file

<?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <policyDefinitionResources xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; revision=&quot;1.0&quot; schemaVersion=&quot;1.0&quot; xmlns=&quot;http://www.microsoft.com/GroupPolicy/PolicyDefinitions&quot;> <displayName>enter display name here</displayName> enter description here <stringTable> <string id=&quot;ConfigureElevationPolicy&quot;>Enable customizing the elevation policy for Protected Mode </stringTable> </policyDefinitionResources>

Note You should put the .admx file under \policydefinitions and the .adml file under  \policydefinitions\. Run gpedit.msc to verify the results. </li> Populate the policy template with the appropriate values. To do this, follow these steps. <ol style="list-style-type: lower-alpha;"> Generate a new GUID and replace  in the code example with the new GUID.</li> For the first application that you selected, write the executable name instead of  and the path of the executable at. If your extension starts a COM server, add the CLSID of your extension at. Write the elevation policy number 0-3 for the application at .</li> Replicate the block of code between <enabledList> and </enabledList> for all the other applications that you selected, and then repeat steps 3a and step 3b to populate those blocks.</li> Copy the policy that was created in step 3 under the CLASS MACHINE entry in the code.</li></ol> </li> Save the file as an .adm file. For example, save it as ElevationPolicy.adm .</li> To verify the results, do the following: <ol style="list-style-type: lower-alpha;"> Open Group Policy Object Editor.</li> Locate Computer Configuration, and then expand Administrative Templates.</li> Right-click Administrative Templates, and then click Add/Remove Templates. In the dialog box, click Add to add the ElevationPolicy.adm file that you created in step 4.

Note The .admx files or .adml files must be put under \policydefinitons\. They cannot be added later by right-clicking on Group Policy Object Editor.</li> Locate Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Internet Explorer.</li> In the right panel, search for the new policy &quot;Enable customizing the elevation policy for Protected Mode&quot; and enable this policy.</li> Examine the registry to verify that the desired registry entry is populated under the following subkey:

.</li> Repeat step 5c for the User Configuration. Examine the registry to verify that the desired registry entry is populated under the following subkey:

</li></ol> </li></ol>

Note Steps 3d, 4, and 5b are only for .adm files.

<div class="references_section">