IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Braindump: ActiveX in Windows 8

Braindump: ActiveX in Windows 8

  • Comments 7

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.

There are a few notable changes in Win8/Internet Explorer 10’s behavior when it comes to ActiveX controls.

1. The non-Desktop mode of the browser (let’s call it IEPKaM for lack of a better name) only permits instantiation of controls that are considered to be a part of the web platform. The list of permitted objects is hardcoded into Internet Explorer and consists of:

MSXML DOMDocument {F6D90F11-9C73-11D3-B32E-00C04F990BB4}
MSXML FreeThreadedDOMDocument {F6D90F12-9C73-11D3-B32E-00C04F990BB4}
MSXML XMLSchemaCache {373984C9-B845-449B-91E7-45AC83036ADE}
MSXML XSLTemplate {2933BF94-7B36-11D2-B20E-00C04F983E60}
MSXML XMLHTTP {F6D90F16-9C73-11D3-B32E-00C04F990BB4}
MSXML DOMDocument30 {F5078F32-C551-11D3-89B9-0000F81FE221}
MSXML FreeThreadedDOMDocument30 {F5078F33-C551-11D3-89B9-0000F81FE221}
MSXML XMLSchemaCache30 {F5078F34-C551-11D3-89B9-0000F81FE221}
MSXML XSLTemplate30 {F5078F36-C551-11D3-89B9-0000F81FE221}
MSXML XMLHTTP30 {F5078F35-C551-11D3-89B9-0000F81FE221}
MSXML DOMDocument60 {88D96A05-F192-11D4-A65F-0040963251E5}
MSXML FreeThreadedDOMDocument60 {88D96A06-f192-11D4-A65F-0040963251E5}
MSXML XMLSchemaCache60 {88D96A07-f192-11D4-A65F-0040963251E5}
MSXML XSLTemplate60 {88D96A08-f192-11D4-A65F-0040963251E5}
MSXML XMLHTTP60 {88D96A0A-f192-11D4-A65F-0040963251E5}
XMLHTTPRequest {ED8C108E-4349-11D2-91A4-00C04F7969E8}
DOMDocument {2933BF90-7B36-11D2-B20E-00C04F983E60}
Scripting.Dictionary {EE09B103-97E0-11CF-978F-00A02463E06F}
HtmlComponent {3050f4f8-98b5-11cf-BB82-00AA00BDCE0B}
Scriptlet {AE24FDAE-03C6-11D1-8B76-0080C744F389}
IE XMLDocument Not registered – used when hosting XML
IE SVGDocument Not registered – used when hosting SVG
IE XHTMLDocument Not registered - – used when hosting XHTML
Adobe Flash {D27CDB6E-AE6D-11cf-96B8-444553540000}

IEPKaM blocks other forms of extensibility outright: toolbars, BHOs, Pluggable Protocols, MIME Filters, and Namespace handlers will not load in IEPKaM.

2. IEPKaM only permits use of Adobe Flash on sites that are listed in the IE Compatibility List or DebugDomain registry key.

3. When enabled, IE’s ActiveX Filter permits use the controls listed above, except Adobe Flash, which is still filtered. This enhancement makes ActiveX Filtering far more palatable, as it doesn’t block use of legacy objects like the ActiveX version of the XMLHTTPRequest control.

4. Windows RT devices like the Microsoft Surface cannot download or install ActiveX controls.

  1. Windows RT’s ActiveX restrictions are additionally backed by the OS loader, which will refuse to run code that hasn’t been signed with a particular code-signing certificate.
  2. Installed controls that are a part of Windows RT are permitted to run in the Desktop experience.
  3. In the IEPKaM experience, the list above is still consulted before a control is permitted to load.

5. When the Enhanced Protected Mode feature is enabled, controls will not load unless they have been compiled for 64bit (when run on 64bit Windows). When running on Windows 8, there is the additional requirement that the controls are listed in the CATID_AppContainerCompatible component category, indicating that they have been tested to work properly within AppContainers.

For instance, the controls must not expect to perform a non-brokered read of the local disk or registry; instead, such operations must be conducted on the control’s behalf by a registered broker object running at Medium Integrity. In some cases (like writing to a file), the IE Protected Mode APIs will suffice, but IE10 does not include any new Read brokers, so if your control hopes to read an arbitrary file from disk, you’ll need to write your own broker.

6. IE10 enables Enhanced Memory Protections like ForceASLR, which opts all loaded modules into address space randomization, regardless of whether the /DynamicBase flag was set. You should continue to set this flag directly, but be aware that your control cannot take dependencies on fixed module load addresses even if you fail to do so.

-Eric

  • LOL what is full form of IEPKaM? When is EPM-compatible Silverlight coming?

  • IE Previously Known as M[redacted].

    I have no reason to believe that an AppContainer-compatible version of Silverlight will ever become available, but the existing 64bit version should work in IE10 on Windows 7's EPM (since it's 64bit only, without AppContainer)

  • > Windows RT’s ActiveX restrictions are additionally backed by the OS loader, which will refuse to run code that hasn’t been signed with a particular code-signing certificate.

    Not an IE-related internals, but is this done through some code path even "classic" Windows editions have in them?

    >  IE10 enables Enhanced Memory Protections like ForceASLR, which opts all loaded modules into address space randomization, regardless of whether the /DynamicBase flag was set.

    But only if relocations are present, right? IE. like the 0x100 value if you would use the registry key for controlling this function.

  • So, I use a webcam whose bundled software uses an activex control to function. How do I ensure that this activex control will function in WinRT? Going to the manufacturer to ask... is a non-starter.

  • I developed some activex components that I use in my software ... everything worked fine in Windows 7 but now in windows 8 It gives me errors when i invoke in my programs the activeX components ... any help ?

    EricLaw: You haven't really provided any information here that would allow someone to help you. You'd probably be better off more completely describing the problem in a new post on StackOverflow.com.

  • Hello Eric - Win7 IE9 installed. Currently debugging a use case where the WinForm application process (that hosts the webbrowser control) will not shutdown after the Application.Exit() (terminating message pumps and closing application windows) method has been executed and control returns from the Main() method.  Only happens when using the Oracle WIP Edit ActiveX control. I can see the WinForm application process still running in task manager.

    Any information would be appreciated and useful.Thanks.

    [EricLaw] If you debug the "stuck" process, do you see any of the threads doing anything interesting? If you navigate to a blank page before exiting, is there any change? If you rename the process to IExplore.exe, is there any change? (The last step will cause all IE-targeted Feature Control Keys to be applied to your app, which may reveal a difference between your app and IE itself).

  • Eric - thank you for your prompt reply. No change in behavior when navigating to about:blank before exiting or renaming to IExplore.exe. Two threads exist right before returning control from the Main() method, the Main thread and a Worker Thread with no name. Can't see the call stack for the worker thread so I don't know what it is doing.

Page 1 of 1 (7 items)
Leave a Comment
  • Please add 5 and 8 and type the answer here:
  • Post