Geoff Chappell - Software Analyst
Determines if protected mode would be enabled if the current process were a browser process.
BOOL IsProtectedModeEnabledForIE (VOID);
The function returns TRUE or FALSE according to whether protected mode is or is not enabled.
This function’s question is evaluated just the once. If the function has been called before, it returns whatever it knows from the first execution.
If not running on Windows Vista or higher, then protected mode is not available and the function returns FALSE.
Version 8.0 allows protected mode to be disabled in the registry, through the following value in any of four keys listed below in order of decreasing precedence:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Low Rights
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights
If this value has non-zero data, then protected mode is not enabled and the function returns FALSE.
Version 8.0 also provides for executing Internet Explorer in a single-process environment whose details are presently beyond the scope of this note. In this environment, protected mode is not enabled and the function returns FALSE.
If User Account Control is enabled (see IEStubIsLuaEnabled), then protected mode is generally enabled, but is disabled for elevated processes (see IsElevatedProcess).
Without User Account Control, protected mode is generally disabled, but can be enabled through the registry if the current process executes for the built-in administrator:
|Key:||HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights|
If the data is exactly 1, then protected mode is enabled. (The value’s name appears to mean Least-Privilege User Account Off but Low Rights Internet Explorer On.) To the function, a user is the built-in administrator if the corresponding SID’s last subauthority is DOMAIN_USER_RID_ADMIN, as for S-1-5-32-500.
The IsProtectedModeEnabledForIE function is exported from IERTUTIL as ordinal 43 in version 7.0 and higher.
Contrast this function with IsProtectedModeEnabled, which test first that the current process actually is a browser process.