I’ve been spending a lot of time “getting to know” Internet Explorer lately, and one topic that I wanted to understand a bit more deeply is precisely how file and registry virtualization in protected mode works. If you look at the outcome of virtualization events, here is what you see:

  Protected Mode On Protected Mode Off
Per-User Area IE Virtualization Store Per-User Area (no virt)
Per-Machine Area Access Denied UAC Virtual Store

Here is what was interesting to me: with Protected Mode turned on, you never see the UAC virtual store. You either see the IE virtual store (which is separate, and redirects to an area marked for Low IL) or you see Access Denied. However, when you see Access Denied, is that because virtualization isn’t turned on for the process, or is that because it is turned on, it is trying to redirect, but it is denied access to the virtual store, because the virtual store is left with the default marking of Medium Integrity?

I wrote an ActiveX control, hosted in IE8, that attempts to write to HKLM. Here’s what happens.

I used Sysinternals Process Monitor to watch. First, I saw the process properties. It suggested that the process is running in Low IL, and that it has virtualization enabled. However, it’s possible (though not likely) that Mark got something wrong here, so let’s look at the behavior.

5:49:43.1526541 PM    IEXPLORE.EXE    5212    RegOpenKey    HKLM\SOFTWARE\Wow6432Node    SUCCESS    Desired Access: Read, Maximum Allowed
5:49:43.1526895 PM    IEXPLORE.EXE    5212    RegCloseKey    HKLM\SOFTWARE\Wow6432Node    SUCCESS   
5:49:43.1527112 PM    IEXPLORE.EXE    5212    RegCreateKey    HKLM\SOFTWARE\Wow6432Node    REPARSE    Desired Access: Maximum Allowed
5:49:43.1527539 PM    IEXPLORE.EXE    5212    RegOpenKey    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node    SUCCESS    Desired Access: Read, Maximum Allowed
5:49:43.1528028 PM    IEXPLORE.EXE    5212    RegCloseKey    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node    SUCCESS   
5:49:43.1528262 PM    IEXPLORE.EXE    5212    RegCreateKey    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node    SUCCESS    Desired Access: Maximum Allowed, Granted Access: Read, Create Link
5:49:43.1528590 PM    IEXPLORE.EXE    5212    RegCloseKey    HKLM\SOFTWARE    SUCCESS   
5:49:43.1528927 PM    IEXPLORE.EXE    5212    RegQueryKeySecurity    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node    SUCCESS   
5:49:43.1529239 PM    IEXPLORE.EXE    5212    RegOpenKey    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Contoso    NAME NOT FOUND    Desired Access: Read, Maximum Allowed
5:49:43.1529490 PM    IEXPLORE.EXE    5212    RegCreateKey    HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Contoso    ACCESS DENIED    Desired Access: Maximum Allowed

And here we are – the reparse, right through the ACCESS DENIED. Looks like IE in protected mode does have UAC virtualization enabled. When you try to write to a protected location, it doesn’t fail because UAC virtualization is gone, it actually tries virt, but then fails because the virtualization location is a Medium IL location.

Not that this probably changes your life in any meaningful way, but it resolves a bit of an internal discussion we’ve been having where it was suggested that Low IL processes don’t get UAC virt. They do – it just doesn’t help them any! :-)