Windows 7 / Getting Started

How the Protected Mode Compatibility Layer Works

To minimize the impact of the strict security restrictions, Protected Mode provides a compatibility architecture that redirects some requests to protected resources and prompts the user to approve other requests. Figure below illustrates this behavior.

Internet Explorer Protected Mode provides both security and compatibility

The compatibility layer handles the needs of extensions written for earlier versions of Windows that require access to protected resources by redirecting the requests to safer locations. Specifically, the Documents folder is redirected to \%UserProfile%\AppData\Local \Microsoft\Windows\Temporary Internet Files\Virtualized, and the HKEY_CURRENT_USER registry hive is redirected to HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer \InternetRegistry.

The first time an add-on attempts to write to a protected object, the compatibility layer copies the object and then modifies the copy. After the first modification is made, the compatibility layer forces add-ons to read from the copy. The Internet Explorer compatibility layer virtualization is used instead of the Windows Vista and later operating systems UAC virtualization.

Note A dd-ons developed for Windows Vista and later operating systems can bypass the compatibility layer to save a file by calling the SaveAs application programming interface (AP I), so no functionality is lost. To allow the user to select a location to save a file, call IEShowSaveFileDialog to prompt the user for a folder and then call IESaveFile to write the file. Use IEGetWriteableFolderPath and IEGetWriteableHKCU to find low-integrity locations to which your add-on can write. To determine whether Protected Mode is active, call the IEIsProtectedModeProcess method. For more information, visit http://msdn.microsoft.com/en-us/library/ms537319.aspx.

Two higher-privilege broker processes allow Internet Explorer and extensions to perform elevated operations given user consent:

  • The User Broker (IEUser.exe) process provides a set of functions that lets the user save files to areas outside of low-integrity areas.
  • The Admin Broker (IEInstal.exe) process allows Internet Explorer to install ActiveX controls.
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows Internet Explorer
  2. Internet Explorer 8 Improvements
  3. InPrivate Browsing
  4. InPrivate Filtering
  5. Compatibility View
  6. SmartScreen
  7. Domain Highlighting
  8. Tab Isolation
  9. Accelerators
  10. Improvements Previously Introduced in Internet Explorer 7
  11. User Interface Changes
  12. Tabbed Browsing
  13. Search Bar
  14. How to Create a Web Link to Add a Custom Search Provider
  15. How to Configure Custom Search Providers Using the Registry
  16. How to Configure Custom Search Providers Using Group Policy
  17. RSS Feeds
  18. Improved Standards Support
  19. Expanded Group Policy Settings
  20. Defending Against Malware
  21. How Protected Mode Improves Security
  22. How the Protected Mode Compatibility Layer Works
  23. How to Solve Protected Mode Incompatibilities
  24. URL-Handling Protection
  25. Address Bar Visibility
  26. Cross-Domain Scripting Attack Protection
  27. Controlling Browser Add-ons
  28. Add -on Manager Improvements
  29. Protecting Against Data Theft
  30. Security Status Bar
  31. How the Smart Screen Filter Works
  32. How to Configure Smart Screen Options
  33. Deleting Browsing History
  34. Blocking IDN Spoofing
  35. Security Zones
  36. Understanding Zones
  37. Configuring Zones on the Local Computer
  38. Configuring Zones Using Group Policy
  39. Network Protocol Lockdown
  40. Managing Internet Explorer Using Group Policy
  41. Group Policy Settings for Internet Explorer 7 and Internet Explorer 8
  42. New Group Policy Settings for Internet Explorer 8
  43. Using the Internet Explorer Administration Kit
  44. Troubleshooting Internet Explorer Problems
  45. Internet Explorer Does Not Start
  46. An Add-on Does Not Work Properly
  47. Some Web Pages Do Not Display Properly
  48. Preventing Unwanted Toolbars
  49. The Home Page or Other Settings Have Changed