Welcome to MSDN Blogs Sign in | Join | Help

News

  • Chris Jackson is a Principal Consultat at Microsoft and the Technical Lead for the Windows Application Experience SWAT Team. He is also known as The App Compat Guy.

    This is provided "AS IS" with no warranties, and confers no rights. Use of materials found on this page is subject to the terms specified in the Terms of Use

Windows Resource Protection (WRP) and ActiveX Control Installation on Windows Vista

I came across this problem today with a customer - Windows Resource Protection preventing ActiveX control installation on Windows Vista.

First, some background. Windows Resource Protection is the feature we put in place to help keep Windows in a known state. For example, if we make a change to user32.dll, we may also need to make a change to shell32.dll to accommodate this change, so the update will contain both files. If an application then comes along and writes an older version of shell32.dll, it may no longer work with the newer version of user32.dll. The operating system is no longer in a known and tested state.

Of course, a lot of applications try to drop them anyway, and for application compatibility reasons we don't want to just break them. So, we had conflicting goals. On XP, we would address this with System File Protection (SFP). Essentially, we would watch these files, and if you changed them, we would go ahead and let you do that, but then we'd come along a few seconds later and replace them with the original version. The application doesn't fail, but Windows still returns to a known and tested state. It seemed like a good solution at the time. However, there are a couple of issues with this.

First, since we are copying the original files back, people figured out that the files had to come from somewhere, and they figured out where that somewhere was. They would then copy a file to that somewhere first, then copy the Windows file in its location, and when we triggered that it was changed we would copy it over ... from the location you just put your stuff in! So you could get around it.

Second, the amount of time it would take to replace files might be too long. I had one game application that had 4 CDs for the install. About 1 CD worth of content was most every file from Windows. When they build the installer, apparently they weren't sure that Windows would be there. Fair enough, we would notice that the installer did that, and then copy the original files back, and no harm done. However, at uninstall, it removed all of these Windows files, because it thought it had dropped them. Then, before the few seconds had passed, it would prompt for a reboot. If you immediately say "yes", then it reboots - without those Windows files. Which makes it really hard to boot, because critical files are gone. I had to do a repair install of Windows. At 7pm. On a Sunday. With a flight the next morning. Not my best night.

Clearly, there was room for improvement. So, in Windows Vista, we just don't let you write to Windows operating system files at all. They are ACL'd to only allow the TrustedInstaller ACE to write to them, and this is handled by the TrustedInstaller service, which Windows Update calls into. But we knew that apps will still break, and compatibility is hugely important, so we took another compatibility approach: we just lie. With the WRPMitigation shim, you can try to write to a protected file, and we'll tell you that you did. We won't actually let you, but we'll let you think you did. It turns out that that's enough just about all of the time.

Now, you can apply that shim manually, or we'll apply it for you if we detect that you are a setup using the UAC setup-detection heuristics. We also apply the shim to regsvr32.exe.

Now that we have that out of the way, we were investigating an issue where an ActiveX control wouldn't install. We would navigate to a page, it would prompt for control installation, we would approve it, but then we'd just see the placeholder. It never installed. What was going on?

So, we opened the source view and searched for the object tag. We then pointed our browser to the cab file it was looking for, so it would download and we could save it to the desktop. We then extracted the CAB, and took a look. Here's the ini file that we found in the cab (file names elided to protect the guilty):

; Sample INF file for clientautomation.dll
[version]
; version signature (same for both NT and Win95) do not remove
signature="$CHICAGO$"
AdvancedINF=2.0

[Add.Code]
<the application's code>.dll=<the application's code>.dll
msscript.ocx=msscript.ocx

; needed DLL
[<the application's code>.dll]
file-win32-x86=thiscab
clsid={<the applicaton's GUID>}
FileVersion=1,0,0,14
RegisterServer=yes

[msscript.ocx]
file-win32-x86=thiscab
clsid={0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}
FileVersion=1,0,0,7615
DestDir=11
RegisterServer=yes

;end of INF file

The DestDir entry for msscript.ocx is interesting - it wants to drop the file in the system directory. We took a look to see if we could find it, and indeed msscript.ocx is already in the system32 directory, and it happens to be a WRP protected file. So it can't drop it! (What they were actually trying to drop was the Windows 2000 version of this file.) And, since IE doesn't have WRPMitigation applied, the installer never succeeded.

So, we just went ahead and created a new CAB file to test out. We removed msscript.ocx, and modified the ini file to remove the references to msscript, and gave it a go - the ActiveX control worked just fine, and functionality was restored.

Another compatibility bug closed.

Posted: Friday, April 20, 2007 4:16 PM by Chris Jackson
Filed under:

Comments

Good Point said:

I had a question about files protected by WRP.

In experimenting, if I modify the Administrator's ACE to allow for delete (for example) an Administrator still can't delete the file (fails with error 5, Access Denied).

But if I change ownership on the file to Administrator, then the delete will be allowed.  I have found the same to be true for directories that are protected from creating new files.

Is something else at work here?  (It seems for 'normal' files/directories modifying the DACL is enough.)

# January 14, 2008 5:49 PM

Chris Jackson said:

Good Point -

While you can get around WRP if you fight hard enough with taking ownership, doing so is generally a really bad idea. I am not sure what you are trying to achieve.

Chris

# January 14, 2008 8:33 PM

Good Point said:

I should have been clear, I wasn't trying to achieve anything by deleting/modifying the protected file.  I can't remember how it came up, but it was something I saw and I couldn't figure out why a DACL that says an account should be able to so something was being denied.

In searching I did find a TechNet article that did say changing the owner of the file will allow the action, but gave no reason as to why.

I'm not 100% certain, but I believe that it was a file that was owner by TrustedInstaller, but SfcIsFileProtected() said it wasn't a protected file.

It seems that there is another layer of protection (beyond the DACL on the file) and I was wondering what that is?

# January 15, 2008 11:46 AM

Chris Jackson said:

Hi Good Point,

An AccessCheck is all about the ACL, but they can be complicated at times.

First, there is the notion of CREATOR OWNER, which can be confusing things when you take ownership. See http://support.microsoft.com/kb/126629.

Second, if you're on Windows Vista, UAC can flip the Administrator ACE's Deny Only bit, which confuses things. You can have it in your token, but you can't use it to be granted permission to do something.

Finally, you have mandatory integrity control, which adds the trust level of the process as something you can secure objects with.

Can you run icacls on the object in question and let me know what the ACL is, and then run whoami /all with the same account? That could reveal what is going on.

Chris

# January 15, 2008 1:47 PM

Anuradha said:

I am trying to simply connect to my VPN and active X is not installing on my PC though I have allowed it. What is the use in having an expensive new OS if I have to master it just so that I would be able to use it?I am a simple user trying to work from home using my laptop (Vista)

# January 25, 2008 6:19 PM

Chris Jackson said:

Hi Anuradha,

What is the VPN software that you are trying to use? You may need to get a more current version - not all of it is compatible.

Chris

# January 27, 2008 8:54 PM

Good Point said:

Chris, thank you for your time on this.

I chose a file that is on any Vista install (I think) and displays this behavior.  The file is C:\Program Files\Internet Explorer\sqmapi.dll.  SfcIsFileProtected() returns TRUE indicating that it is a protected file.

I take ownership of the file and change the permissions to allow full control, yet DeleteFile() fails with error 5, Access Denied.

icacls shows:

sqmapi.dll  No permissions are set. All users have full control.

Successfully processed 1 files; Failed processing 0 files

whoami /all shows:

USER INFORMATION

----------------

User Name           SID                                      

=================== ==========================================

ctdev\administrator S-1-5-21-583907252-630328440-725345543-500

GROUP INFORMATION

-----------------

Group Name                           Type             SID                                        Attributes                                                    

==================================== ================ ========================================== ===============================================================

Everyone                             Well-known group S-1-1-0                                    Mandatory group, Enabled by default, Enabled group            

BUILTIN\Users                        Alias            S-1-5-32-545                               Mandatory group, Enabled by default, Enabled group            

BUILTIN\Administrators               Alias            S-1-5-32-544                               Mandatory group, Enabled by default, Enabled group, Group owner

NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                    Mandatory group, Enabled by default, Enabled group            

NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                   Mandatory group, Enabled by default, Enabled group            

NT AUTHORITY\This Organization       Well-known group S-1-5-15                                   Mandatory group, Enabled by default, Enabled group            

LOCAL                                Well-known group S-1-2-0                                    Mandatory group, Enabled by default, Enabled group            

CTDEV\Group Policy Creator Owners    Group            S-1-5-21-583907252-630328440-725345543-520 Mandatory group, Enabled by default, Enabled group            

CTDEV\Domain Admins                  Group            S-1-5-21-583907252-630328440-725345543-512 Mandatory group, Enabled by default, Enabled group            

CTDEV\Schema Admins                  Group            S-1-5-21-583907252-630328440-725345543-518 Mandatory group, Enabled by default, Enabled group            

CTDEV\Enterprise Admins              Group            S-1-5-21-583907252-630328440-725345543-519 Mandatory group, Enabled by default, Enabled group            

Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288                               Mandatory group, Enabled by default, Enabled group            

PRIVILEGES INFORMATION

----------------------

Privilege Name                  Description                               State  

=============================== ========================================= ========

SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled

SeSecurityPrivilege             Manage auditing and security log          Disabled

SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled

SeLoadDriverPrivilege           Load and unload device drivers            Disabled

SeSystemProfilePrivilege        Profile system performance                Disabled

SeSystemtimePrivilege           Change the system time                    Disabled

SeProfileSingleProcessPrivilege Profile single process                    Disabled

SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled

SeCreatePagefilePrivilege       Create a pagefile                         Disabled

SeBackupPrivilege               Back up files and directories             Disabled

SeRestorePrivilege              Restore files and directories             Disabled

SeShutdownPrivilege             Shut down the system                      Disabled

SeDebugPrivilege                Debug programs                            Disabled

SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled

SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled

SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled

SeUndockPrivilege               Remove computer from docking station      Disabled

SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled

SeImpersonatePrivilege          Impersonate a client after authentication Enabled

SeCreateGlobalPrivilege         Create global objects                     Enabled

SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled

SeTimeZonePrivilege             Change the time zone                      Disabled

SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

# January 28, 2008 5:47 PM

Chris Jackson said:

Defeating WRP isn't a supported scenario. I'd dump your resource ACL using icacls and make sure that everything remains as you set it. If that isn't helpful, you can always set a bp on AccessCheck* in the debugger and find out what's going on. But WRP is implemented with ACLs and not any additional mechanisms.

# January 28, 2008 7:26 PM

Bud Mosc said:

I tried several times to install the Vista SP1. Each time I encountered the same error code. I tried each resolution suggested to no avail. When I ran the System File checker tool, it indicated that there were corrupted files in WRP that could not be corrected. Any suggestions on how to fix this? Vista now freezes often as a result and I do not have a restore point early that resolved the issue.

# April 9, 2008 11:09 AM

Chris Jackson said:

Hi Bud,

See http://technet.microsoft.com/en-us/windowsvista/cc295800.aspx

Thanks,

Chris

# April 10, 2008 9:19 AM

Dale Johnson said:

Hi,

My reason for wanting access to Trusted Installer owned files and folders is simple. After running Beta versions of Vista and now a temporary version of it for the past 25 days because I now have a new CPU chip and Motherboard, I need to install a new licensed version of Vista. The problem is that all of these older versions have eaten up all of my Hard Drive space so I don't have room to do my install. These interim installs are entwined with data files and such so reformatting of drives or partitions is out of the question.

So quite simply, I need to delete these interim installs that are cluttering up my drives.

Without permission to do so, I can't get rid of these files and folders that Vista believes are part of the operating system but are no longer so.

So how do I get rid of this clutter if I can't get ownership powers enough to be able to delete them entirely?

While increased security is admirable it isn't of very much use if you can never get rid of the older versions of the operating system. When I boot up I get a list of about 6-7 operating systems to choose from. Out of those, only two are actually valid and then only until I can install my final operating system, when I can transfer the info from them and then they will be also obsolete. Needless to say, 6-7 obsolete versions of an operating system take up an awful lot of disk space, particularly one as huge as Vista is.

# April 15, 2008 3:18 AM

Chris Jackson said:

Hi Dale,

If you are an admin, you can elevate and take ownership of any file that you'd like, including WRP files, and once you have ownership you can modify the ACLs. This isn't a security feature - it's a reliability feature. So, you can get the powers to delete them entirely.

Thanks,

Chris

# April 15, 2008 11:52 AM

exold said:

Chris: A fine line indeed between helping and helping Too Much. Having to draw that line is one of the disadvantages of having both Enormous Mystical Knowledge and Speaking Public Face, of course. I thought you did a very good job here!

# May 4, 2008 11:46 AM

Chris Jackson's Semantic Consonance said:

Every now and again, I bump up against a setup application (it's almost always a setup application) that

# May 30, 2008 5:57 PM

cquirke said:

Hi!

In these comments, you said "This isn't a security feature - it's a reliability feature".

With that in mind, I ask: Is there feedback from ChkDsk and AutoChk to WRP, that would trigger file replacement if these processes had to "fix" a core OS code file?  There should be, and it should apply to both the "live" files and the source files that are used to perform the replacements.

# July 23, 2008 2:49 AM

Chris Jackson said:

Hi cquirke,

There are no more "replacement" files - you just have the one copy now. sfc.exe will still do this, but it needs the original media.

Thanks,

Chris

# July 23, 2008 9:54 AM

Paul said:

Your note on WFP is incorrect. Users weren't just able to write to the replacement directory, by default: %windir%\system32\dllcache.

There is a thread inside winlogon started by SfcInitProt() from sfc_os.dll (sfc.dll for W2k). This thread watches for file integrity according to sfcfiles.dll. If a file is to be deleted from its original location it will be recovered from its backup. If the backup's checksum fails integrity check then I friendly pop up will appear asking for your installation CD. There are many ways around this:

- Write a program to use the hidden ordinal exports in sfc_os.dll. export 2 disables until reboot, export 5 disables for one minute on a specific file.

- Create a hack of sfcfiles.dll and have it replaced on reboot.

- Create a hack of sfc_os.dll to revert it to W2k functionality. Then set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable key to 0xFFFFFF9D

# August 28, 2008 1:10 AM

ccl1111 said:

Thank you, thank you, thank you!

I had a .dll that SFC could not repair & was almost at the point of formatting & reinstalling from scratch. Though I understand it's not a best practice, I was able to take ownership of it and replace it with a good version - thanks to your explanation.

Even if it only buys me a bit of time, you've prevented me from having to reinstall my machine for a while.

Thank you!                                      

# September 5, 2008 6:23 PM

Seabass said:

Chris, I am having the exact same issue as Bud Mosc, and I can't find help ANYWHERE! My computer came with Vista Home Premium loaded. For whatever reason, it cannot update. I have tried installing SP1, but I get an error code (80070490) that is not referenced ANYWHERE in the MSknowledgebase nor on the Internet in general. I ran a sfc /scannow & it says that corrupt WRP files were found, but when I try to view the CBS log as administrator, it just gives me another prompt. I can't even defrag.

I clicked the link you gave Bud above, but it's defunct. Is there a new page we could reference?

Any other ideas besides restoring? I REALLY want to avoid that.

PS - How can there be an error code that's not in the kb?

# October 15, 2008 9:49 AM

Chris Jackson said:

Hi Seabass,

80070490 translates to ERROR_NOT_FOUND (Element not found) - without knowing what threw the error, I'm not sure exactly what it indicates. But you can get free SP1 support from https://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11274&gprid=500921 - I just verified that this link still works.

# October 15, 2008 11:39 PM
New Comments to this post are disabled
Page view tracker