Internet Explorer Add-on Management and Crash Detection

Applies To: Windows Server 2003 with SP1

Note

The Microsoft Windows Server 2003 Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening) reduces a server’s vulnerability to attacks from Web content by applying more restrictive Internet Explorer security settings that disable scripts, ActiveX components, and file downloads for resources in the Internet security zone. As a result, many of the security enhancements included in the latest release of Internet Explorer will not be as noticeable in Windows Server 2003 Service Pack 1. For example, the new Internet Explorer Information Bar and Pop-up Blocker features will not be used unless the site is in a zone whose security setting allows scripting. If you are not using the enhanced security configuration on your server, these features will function as they do in Windows XP Service Pack 2.

What does Internet Explorer Add-on Management and Crash Detection do?

These are two new, closely-related features that are included in Internet Explorer.

Internet Explorer Add-on Management allows users to view and control the list of add-ons that can be loaded by Internet Explorer with more detailed control than before. It also shows the presence of some add-ons that were previously not shown and could be very difficult to detect.

Internet Explorer Add-on Crash Detection attempts to detect crashes in Internet Explorer that are related to an add-on. When the add-on is successfully identified, this information is presented to the user. The user has the option of disabling add-ons to diagnose crashes and improve the overall stability of Internet Explorer.

Who does this feature apply to?

Users will be able to view, enable, and disable the add-ons used by Internet Explorer, and identify add-ons that might be related to Internet Explorer crashes. Administrators can enforce a list of add-ons that are allowed or disallowed and restrict the ability of users to manage add-ons.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Internet Explorer Add-on Management

Detailed description

Internet Explorer Add-on Management allows users to view and control the list of add-ons that can be loaded by Internet Explorer with more detailed control than before. It also shows the presence of some add-ons that were previously not shown and could be very difficult to detect. These add-ons might provide undesired functionality or services and, in some cases, might present a security risk.

For example, a user might unintentionally install an add-on that secretly records all Web page activity and reports it to a central server. Previously, specialized software and deep technical knowledge might have been required to identify and remove that add-on. Internet Explorer Add-on Management provides an easier way to detect and disable that add-on.

Add-ons include:

  • Browser help objects

  • ActiveX controls

  • Toolbar extensions

  • Browser extensions

Add-ons can be installed from a variety of locations and in several ways, including:

  • Download and installation while viewing Web pages.

  • Installation by the user by way of an executable program.

  • As pre-installed components of the operating system.

  • As pre-installed add-ons that come with the operating system.

Manage Add-ons

Users can enable and disable each add-on individually and view information about how often the add-ons have been used by Internet Explorer. To do this, use one of the following procedures to open Manage Add-ons.

Open Manage Add-ons Using Internet Explorer

  1. Click Start, and then click Internet Explorer.

  2. On the Tools menu, click Manage Add-ons.

Open Manage Add-ons using the Control Panel

  1. Click Start, and then click Control Panel.

  2. Double-click Internet Options.

  3. Click the Programs tab, and then click Manage Add-ons.

Manage Add-ons has several options that allow you to change your add-on configuration.

You can use the Show drop-down list in Manage Add-ons to control the way in which the add-ons list is displayed. It has two options:

  • Add-ons currently loaded in Internet Explorer. This option lists the add-ons that have been instantiated (or loaded into memory) within the current Internet Explorer process and those that have been blocked from instantiating. This includes ActiveX controls that were used by Web pages that were previously viewed within the current process.

  • Add-ons that have been used by Internet Explorer. This option lists all add-ons that have been referenced by Internet Explorer and are still installed.

The list of add-ons shows all installed add-ons of the types listed previously in the detailed description section. To enable or disable an installed add-on, click the add-on in the list, then click Enable or Disable.

If you click an ActiveX control in the list, then click Update ActiveX, Windows searches for an update at the location where the original control was found. If a newer version is found at that location, Internet Explorer attempts to install the update.

The list of add-ons also contains signed add-ons that were blocked from installation because their publisher was untrusted. After selecting one of these controls, the user can unblock the control by clicking Allow. Caution should be exercised when doing this, because clicking Allow removes the publisher from the Untrusted list.

Blocked Add-on status bar icon

A Blocked Add-on icon appears in the status bar when a Web page attempts to instantiate an ActiveX control that is disabled or blocked because its publisher is untrusted. You can double click the icon to open Manage Add-ons. The status bar icon is accompanied by a balloon tip the first five times it appears.

Add-on notification balloon tip

When a Web page attempts to instantiate a disabled add-on and there is no current Blocked Add-on status bar icon, a message appears to tell the user that the current Web page is requesting an add-on that is disabled. The user can click the message for more details on blocking add-ons.

You can use the Internet Options Control Panel to suppress the message.

Why is this change important?

Windows Error Reporting data has shown that add-ons are a major cause of stability issues in Internet Explorer. These add-ons significantly affect the reliability of Internet Explorer. These add-ons can also pose a security risk, because they might contain malicious and unknown code.

Many users are unaware of the add-ons they have installed on their computer. Some add-ons are loaded whenever Internet Explorer is started, but cannot be detected unless the user searches the registry. When users experienced crashes, there was no easy way to diagnose whether the issue was related to an add-on. Even if they suspected that the problem stemmed from recently-installed software, it was difficult to isolate the cause and often impossible to resolve if the software did not provide an uninstall option.

Internet Explorer Add-on Management, together with Add-on Crash Detection, gives users the ability to improve the security and stability of their systems by identifying and disabling problematic add-ons. Administrators are also provided with a powerful administrative tool to control add-on use in their organization.

What works differently?

Behavior when add-ons are disabled

Disabling an add-on does not remove it from the computer. It only prevents Internet Explorer from instantiating the object and executing its code. There is no guarantee that the disabled add-on will never be loaded, since an add-on that is considered by Internet Explorer to be disabled can still be used by another component in the system. The behavior that is displayed by disabling different object types varies.

  • If an ActiveX control is disabled, Web pages that rely on the control might not work as expected. They behave as if the user has uninstalled the control from the computer and declined to install it. Users are not prompted to upgrade controls that have been disabled.

  • If a browser helper object is disabled, functionality that depends on the object is not available, and there is no visual indication that a component is disabled.

  • If a browser extension is disabled, toolbar buttons and menu entry points are not shown for that extension. Internet Explorer behaves as if the extension was not installed.

  • If a toolbar extension is disabled, the toolbar does not appear in Internet Explorer and, on the View menu, the Toolbars item is disabled. Internet Explorer behaves as if the toolbar was not installed.

The concept of a disabled add-on only applies to instances of Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) by default. Currently, other programs based on Internet Explorer components, such as the WebBrowser control, do not respect the disabled state. However, you can use the featurecontrol key to extend this functionality to other applications.

Some software programs depend on a combination of multiple add-ons to work correctly, and disabling any one of them might cause problems. Caution should be exercised when deciding to disable one or more add-ons.

Uninstallation

If the user disables a non-ActiveX add-on and subsequently uninstalls and then re-installs it, the add-on might remain in a disabled state. This is because Internet Explorer is not notified of application installations and does not detect any application state changes. However, if Internet Explorer is started while the add-on is not installed, it detects a change and automatically clears the disabled state.

If the user disables an ActiveX control and then uninstalls it, the next time a Web page attempts to use the control, Internet Explorer detects that the control is no longer present and clears the disabled state. However, if the ActiveX control is reinstalled using an executable file (as opposed to a Web page download) before there are any attempts to instantiate the control, then it remains disabled. This is because Internet Explorer does not detect a state change.

How do I resolve these issues?

In the event that disabling an add-on causes a lack of functionality, it can be restored by enabling the add-on in Manage Add-ons. Internet Explorer must be restarted for new settings to take effect, with the exception of ActiveX controls, where reloading the affected page might be sufficient.

Internet Explorer Add-on Management for Administrators

Detailed description

Disabling the Crash Detection feature

To disable the Crash Detection feature of Add-on Management, see "What settings are added or changed in Windows Server 2003 Service Pack 1?" below. When Crash Detection is disabled, a crash in Internet Explorer exhibits previous behavior, which is usually to invoke Windows Error Reporting. All policies for Windows Error Reporting continue to apply.

Disabling Add-on Management user interface

To disable the Add-on Management user interface, see "What settings are added or changed in Windows Server 2003 Service Pack 1?" below. When the Add-on Management user interface is disabled, the Enable and Disable options are unavailable in Manage Add-ons.

Deny all add-ons unless specifically allowed in the Add-on list

This policy setting allows administrators to ensure that any Internet Explorer add-ons not listed in the Add-on List policy setting will be denied.

To set this policy, an administrator can modify the RestrictToList registry key in either of the following locations:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\

Key reference

Name: RestrictToList

Type: DWORD

Value:

  • 1 (Anything not on the Add-on list is considered disabled.)

  • 0 (Anything not on the Add-on list works as it would without policy.)

Add-on List

Administrators can control the use of specific add-ons through the add-on list policy. Administrators can choose to enable or disable an add-on as well as allow a specific add-on to be managed by the user.

To set this policy, an administrator can create a registry value based on the GUID of the add-on in either of the following keys and then set the desired value:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID

Each add-on is a value in this registry key with the following properties.

Key reference

Name: GUID of add on

Type: REG_SZ

Value:

  • 0 - Add-on is disabled and cannot be managed by the end user.

  • 1 - Add-on is allowed and cannot be managed by the end user.

  • 2 - Add-on is allowed and can be managed by the end user.

The Add-on (CLSID) lists are empty by default.

Behavior of Management user interface when policies are applied

When an Add-on Management policy is in effect, and the user selects an add-on from the management list that is disabled by policy, Enable and Disable are unavailable.

Why is this change important?

This feature allows administrators to control the usage of the new features.

What works differently?

The new features for allowing and disallowing add-ons work in conjunction with existing policies for managing ActiveX controls. Add-on disabling is applied on top of existing checks and does not replace other security restrictions that might be in place. For example, if an ActiveX control is blocked by its ActiveX compatibility flags, it will always be blocked, regardless of the add-on management settings.

Using the "Deny all add-ons unless specifically allowed in the Add-on List" policy will disable script and other controls necessary for some Web pages to function properly. For a list of CLSIDs that might need to be enabled for certain Web sites to function correctly, see the article on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=45658

How do I resolve these issues?

If you are using the "Deny all add-ons unless specifically allowed in the Add-on list" policy some Web applications might break due to disabled scripting and other disabled controls. For information about enabling scripting and other commonly used Web controls, see the article on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=45658

In the event that these controls do not address the issue and adding these policies continues to remove functionality that is required for a Web application that you want to use, remove the policies that were applied and restart Internet Explorer.

Internet Explorer Add-on Crash Detection

Detailed description

Whenever Internet Explorer stops unexpectedly, Windows starts the Add-on Crash Detection program. Add-on Crash Detection is an error analysis program that examines the state of the Iexplore.exe (Internet Explorer) process. It collects the list of dynamic link libraries (DLLs) that are loaded, and the value of the instruction pointer register (EIP) at the time of the crash. Add-on Crash Detection then attempts to find the DLL whose memory range the EIP lies within. This DLL is often the cause of the crash. If a DLL is found, it is not a system DLL, and the DLL is the COM server for an Internet Explorer add-on, the Internet Explorer Add-on Crash Detection dialog box appears. This dialog box contains information that indicates which add-on caused the crash, the name of the company associated with the add-on, and the description of the DLL file that contains the add-on code. To display Manage Add-ons, which you can then use to disable the identified add-on, click Advanced. After you review the information and click Continue, the standard Windows Error Reporting window opens.

Why is this change important? What threats does it help mitigate?

For this information, see "Internet Explorer Add-on Management for Users," earlier in this subject.

What works differently?

Since this feature only runs when Internet Explorer stops operating, there should be no changes to normal operation.

What settings are added or changed in Windows Server 2003 Service Pack 1?

Internet Explorer Add-on Management and Crash Detection Settings

Setting name Location Default value Possible values

Disable Crash Detection

HKCU {or HKLM} \Software\Policies \Microsoft\Internet Explorer \Restrictions

Name: NoCrashDetection

Type: DWORD

0

0 — Off,

1 — On

Deny all add-ons unless specifically allowed in the Add-on List

HKCU {or HKLM} \Microsoft\Windows\CurrentVersion \Policies\Ext\

Name: RestrictToList

Type: DWORD

0

0 — Off,

1 — On

Add-on List

HKCU {or HKLM} \SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\Ext\CLSID

Name: GUID of the control

Type: REG_SZ

Not available

0 – Add-on is disabled and cannot be managed by the end user.

1 – Add-on is allowed and cannot be managed by the end user.

2 – Add-on is allowed and CAN be managed by the end user.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Your code does not need to change to work with Internet Explorer Add-on Crash Detection or Add-on Management.