Braindump: ActiveX in Windows 8

Note: The “brain dump” series is akin to what the team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.

There are a few notable changes in Win8/Internet Explorer 10’s behavior when it comes to ActiveX controls.

1. The non-Desktop mode of the browser (let’s call it IEPKaM for lack of a better name) only permits instantiation of controls that are considered to be a part of the web platform. The list of permitted objects is hardcoded into Internet Explorer and consists of:

MSXML DOMDocument {F6D90F11-9C73-11D3-B32E-00C04F990BB4}
MSXML FreeThreadedDOMDocument {F6D90F12-9C73-11D3-B32E-00C04F990BB4}
MSXML XMLSchemaCache {373984C9-B845-449B-91E7-45AC83036ADE}
MSXML XSLTemplate {2933BF94-7B36-11D2-B20E-00C04F983E60}
MSXML XMLHTTP {F6D90F16-9C73-11D3-B32E-00C04F990BB4}
MSXML DOMDocument30 {F5078F32-C551-11D3-89B9-0000F81FE221}
MSXML FreeThreadedDOMDocument30 {F5078F33-C551-11D3-89B9-0000F81FE221}
MSXML XMLSchemaCache30 {F5078F34-C551-11D3-89B9-0000F81FE221}
MSXML XSLTemplate30 {F5078F36-C551-11D3-89B9-0000F81FE221}
MSXML XMLHTTP30 {F5078F35-C551-11D3-89B9-0000F81FE221}
MSXML DOMDocument60 {88D96A05-F192-11D4-A65F-0040963251E5}
MSXML FreeThreadedDOMDocument60 {88D96A06-f192-11D4-A65F-0040963251E5}
MSXML XMLSchemaCache60 {88D96A07-f192-11D4-A65F-0040963251E5}
MSXML XSLTemplate60 {88D96A08-f192-11D4-A65F-0040963251E5}
MSXML XMLHTTP60 {88D96A0A-f192-11D4-A65F-0040963251E5}
XMLHTTPRequest {ED8C108E-4349-11D2-91A4-00C04F7969E8}
DOMDocument {2933BF90-7B36-11D2-B20E-00C04F983E60}
Scripting.Dictionary {EE09B103-97E0-11CF-978F-00A02463E06F}
HtmlComponent {3050f4f8-98b5-11cf-BB82-00AA00BDCE0B}
Scriptlet {AE24FDAE-03C6-11D1-8B76-0080C744F389}
IE XMLDocument Not registered – used when hosting XML
IE SVGDocument Not registered – used when hosting SVG
IE XHTMLDocument Not registered - – used when hosting XHTML
Adobe Flash {D27CDB6E-AE6D-11cf-96B8-444553540000}

IEPKaM blocks other forms of extensibility outright: toolbars, BHOs, Pluggable Protocols, MIME Filters, and Namespace handlers will not load in IEPKaM.

2. IEPKaM only permits use of Adobe Flash on sites that are listed in the IE Compatibility List or DebugDomain registry key.

3. When enabled, IE’s ActiveX Filter permits use the controls listed above, except Adobe Flash, which is still filtered. This enhancement makes ActiveX Filtering far more palatable, as it doesn’t block use of legacy objects like the ActiveX version of the XMLHTTPRequest control.

4. Windows RT devices like the Microsoft Surface cannot download or install ActiveX controls.

  1. Windows RT’s ActiveX restrictions are additionally backed by the OS loader, which will refuse to run code that hasn’t been signed with a particular code-signing certificate.
  2. Installed controls that are a part of Windows RT are permitted to run in the Desktop experience.
  3. In the IEPKaM experience, the list above is still consulted before a control is permitted to load.

5. When the Enhanced Protected Mode feature is enabled, controls will not load unless they have been compiled for 64bit (when run on 64bit Windows). When running on Windows 8, there is the additional requirement that the controls are listed in the CATID_AppContainerCompatible component category, indicating that they have been tested to work properly within AppContainers.

For instance, the controls must not expect to perform a non-brokered read of the local disk or registry; instead, such operations must be conducted on the control’s behalf by a registered broker object running at Medium Integrity. In some cases (like writing to a file), the IE Protected Mode APIs will suffice, but IE10 does not include any new Read brokers, so if your control hopes to read an arbitrary file from disk, you’ll need to write your own broker.

6. IE10 enables Enhanced Memory Protections like ForceASLR, which opts all loaded modules into address space randomization, regardless of whether the /DynamicBase flag was set. You should continue to set this flag directly, but be aware that your control cannot take dependencies on fixed module load addresses even if you fail to do so.