Integrity Levels and Internet Explorer Automation
I recently came across a problem with a VBScript which simply navigates to two intranet URLs (opening one in each tab), but coming up with the following error:
The VBScript source code (comments omitted) simply contains the following:
Line 23 refers to the last line of the code, but why are we getting an error when this script previously worked fine under Windows XP?
This MSDN blog (http://blogs.msdn.com/b/ieinternals/archive/2011/08/03/internet-explorer-automation-protected-mode-lcie-default-integrity-level-medium.aspx) has the answer, but if you're struggling to understand some of the concepts let's review:
The key points to understand are:
- The Internet Explorer Frame Manager always runs at Medium integrity level, but the tabs displaying the content will run with varying integrity levels based on the zones the site belongs to. e.g. Internet, Trusted Sites, Intranet, etc.
- When new "empty" tabs are created, the default integrity level for the tab is set to "Low". Using SysInternals Process Explorer, we can see this below:
- The URLs in the script are considered to be "Intranet" sites, due to the fact that there are no dots "." in the URL.
- When the script executes we see a hidden browser tab running at Low integrity level, and two additional tabs running at Medium integrity level.
- Line 23 errors because the browser instance that is created from the script loses control of the object, and then tries to make the browser instance visible but no longer has permission to do so because the invoking browser instance is running at low integrity level which does not have access to any process that is running at medium or high integrity levels (which is what the Intranet URL tabs are running at).
Therefore, we need to find a way of creating an Internet Explorer instance to start at Medium integrity level, and this is done by using the {D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} class. This runs "%ProgramFiles(x86)%\Internet Explorer\iexplore.exe" -startmediumtab.
To implement this in the script, we substitute
set oIE = CreateObject("InternetExplorer.Application")
with
Set oIE = GetObject("new:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}")
You will now find that you no longer have a hidden low integrity browser instance and the script now runs without error.
Further Reading:
Windows Integrity Mechanism - http://msdn.microsoft.com/en-us/library/bb625957.aspx
The VBScript source code (comments omitted) simply contains the following:
navOpenInBackgroundTab =
&h1000
set oIE =
CreateObject("InternetExplorer.Application")
oIE.Navigate
"http://host1:8080/app"
oIE.Navigate "https://exchangeserver/owa",
navOpenInBackgroundTab
oIE.Visible = true
Line 23 refers to the last line of the code, but why are we getting an error when this script previously worked fine under Windows XP?
This MSDN blog (http://blogs.msdn.com/b/ieinternals/archive/2011/08/03/internet-explorer-automation-protected-mode-lcie-default-integrity-level-medium.aspx) has the answer, but if you're struggling to understand some of the concepts let's review:
The key points to understand are:
- The Internet Explorer Frame Manager always runs at Medium integrity level, but the tabs displaying the content will run with varying integrity levels based on the zones the site belongs to. e.g. Internet, Trusted Sites, Intranet, etc.
- When new "empty" tabs are created, the default integrity level for the tab is set to "Low". Using SysInternals Process Explorer, we can see this below:
- The URLs in the script are considered to be "Intranet" sites, due to the fact that there are no dots "." in the URL.
- When the script executes we see a hidden browser tab running at Low integrity level, and two additional tabs running at Medium integrity level.
- Line 23 errors because the browser instance that is created from the script loses control of the object, and then tries to make the browser instance visible but no longer has permission to do so because the invoking browser instance is running at low integrity level which does not have access to any process that is running at medium or high integrity levels (which is what the Intranet URL tabs are running at).
Therefore, we need to find a way of creating an Internet Explorer instance to start at Medium integrity level, and this is done by using the {D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} class. This runs "%ProgramFiles(x86)%\Internet Explorer\iexplore.exe" -startmediumtab.
To implement this in the script, we substitute
set oIE = CreateObject("InternetExplorer.Application")
with
Set oIE = GetObject("new:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}")
You will now find that you no longer have a hidden low integrity browser instance and the script now runs without error.
Further Reading:
Windows Integrity Mechanism - http://msdn.microsoft.com/en-us/library/bb625957.aspx
I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues.
ReplyDeleteiExplorer crack