View the Compatibility list with in Internet Explorer 8.0.
Place the following in the IE address bar and press enter: res://iecompat.dll/iecompatdata.xml
iecompatdata.xml is a resource object inside of iecompat.dll. Unless you program you may not know what this means which is okay. The take away is that iecompatdata.xml is not a physical file on the hard disk but is stored inside of iecompat.dll.
If you are not familiar with the new compatibility view list feature the following is a good starting point. To have your site added, removed, or dispute the addition or removal of a site review the end of the following article on how to properly contact Microsoft.
Understanding the Compatibility View List
http://msdn.microsoft.com/en-us/library/dd567845(VS.85).aspx
Summary from the above article:
By default, Internet Explorer 8 displays standards-based Web sites as closely to industry standards as possible. Certain Web sites do not display properly when viewed in Internet Explorer 8 Standards mode. To try to display such sites correctly, users can enable Compatibility View.
There are three ways to enable Compatibility View.
- Clicking the Compatibility View button in the Address bar. When displayed, this button appears to the left of the Refresh button and contains an image of a broken piece of paper. This enables Compatibility mode for all documents in the domain of the Web site being viewed.
- Enabling the "Display all websites in Compatibility Mode setting" in the Compatibility View Settings.
- Enabling the Compatibility View List, which defines a list of Web sites that are automatically displayed in Compatibility View.
This article describes the Compatibility View List, also known as the Compatibility List. It explains how the Compatibility View List was created, how to determine if your site is in the list, and how to have your site removed from the list.
For the user Microsoft provides the Compatibility View icon is the one circled in RED.
Sites in the Compatibility List, sites you have added to the compatibility list or sites that may have elected to send the special HTTP to emulate header will not show the icon.
There are two ways to implement the x-UA-COMPATIBLE options.
The first is via a META tag in the <HEAD> section of the page.
<META HTTP-EQUIV="X-UA-COMPATIBLE" CONTENT="IE=EmulateIE7">
The second at the web server level at the HTTP header level.
X-UA-Compatible: IE=EmulateIE7
The following list outlines the supported values that can applied.
IE=8 – Web page supports IE8 mode, which is also called "IE8 standards mode."
IE=7 – Web page supports IE7 mode, which is also called "IE7 standards mode."
IE=5 – Web page supports IE5 mode, which is also called "quirks mode."
IE=EmulateIE8 – If the Web page specifies a standards-based DOCTYPE directive, the page supports IE8 mode; otherwise, it supports IE5 mode ("quirks mode").
IE=EmulateIE7 – If the Web page specifies a standards-based DOCTYPE directive, the page supports IE7 mode; otherwise, it supports IE5 mode ("quirks mode").
IE=Edge – Web page supports the highest mode available to the version of Internet Explorer used to display the page. This option is generally intended for testing purposes.
There is a nice write up about compatibility at the following..
Internet Explorer Compatibility
http://msdn.microsoft.com/en-us/ie/cc405106.aspx
99% of the time starting IE is just a simple click of the mouse.
iexplore.exe -embedding -extoff -framemerging -k -noframemerging -private URL
-embedding Used to start Internet Explorer via OLE Embedding.
-extoff Internet Explorer 7 and later. Starts Internet Explorer in No Add-ons mode, which can be used to troubleshoot problems with browser add-ons.
-framemerging Internet Explorer 8 and later. Allows Internet Explorer to opportunistically merge new frame processes into existing frame processes.
-k Starts Internet Explorer in kiosk mode; the browser is opened in a maximized window that does not display the address bar, the navigation buttons, or the status bar.
-noframemerging Internet Explorer 8 and later. Prevents Internet Explorer from opportunistically merging new frame processes into existing frame processes.
-private Internet Explorer 8 and later. Starts Internet Explorer with InPrivate Browsing set to active.
URL After starting, Internet Explorer navigates to the page or resource specified as the URL.
Web Browser Control
http://msdn.microsoft.com/en-au/library/aa752040(VS.85).aspx
Troubleshooting Internet Explorer Add-ons
http://blogs.msdn.com/ie/archive/2006/07/25/678113.aspx
Internet Explorer 8 and Reliability
http://blogs.msdn.com/ie/archive/2008/07/28/ie8-and-reliability.aspx
InPrivate Browsing: Frequently Asked Questions
http://blogs.msdn.com/ie/archive/2006/07/25/678113.aspx
Options that are no longer valid starting with IE8.
-channelband –e –eval –nomerge –new –nowait –remote –v -version
Two interesting options are –framemerging and –noframemerging. We will try to find some real world examples that show the plus and minus of these options and update the post.
I know this is IE 6 and who cares about IE 6 right? Well lots of corporations still use IE 6 for their day to day business activities. So here it is…
Environment
Internet Explorer 6 on Windows XP (sp2\3), you are using a .pac file to configure your proxy settings. Users access websites that require them to supply Kerberos credentials.
Results
Users see the informative error message “HTTP Error 401 – Unauthorized: Access is denied due to invalid credentials.” At this point your phone lights up like a Christmas tree.
Reason
Bug resolved with http://support.microsoft.com/kb/921400
This is great I just blogged about something that Microsoft fixed back in 2006. But I promise I am not wasting your time. Here is why; after you install this fix or a much later version of wininet.dll that is on the Microsoft QFE branch you must add the following registry key to actually “turn on the fix”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
Value Name: iexplore.exe
Data Type: REG_DWord
Value: = 1
NOTE: you will need to create a key named FEATURE_AUTOPROXY_CACHE_ANAME_KB921400 before you can specify the process.
NOTE 2: If you have a process other than iexplore.exe that you feel needs this fix then just add your process under this registry key.
NOTE 3: Or if you just want this on for all processes use an asterisk * in the place of the process name.
Ok that it for IE 6 today oh and btw this does not apply to IE 7 or IE 8 seems like they fixed the glitch.
I felt this was important to re-document and see if we can expand on it. Please see the ping back to where most of this content came from. The guy does a great job and deserves the credit. I am going to work to expand this information where possible so think of this post as a living post subject to updates 
Pingback: http://www.innovation.ch/personal/ronald/ntlm.html
Introduction
This is an attempt at documenting the undocumented NTLM authentication scheme used by M$’s browsers, proxies, and servers (MSIE and IIS); this scheme is also sometimes referred to as the NT challenge/response (NTCR) scheme. Most of the info here is derived from three sources (see also the Resources section at the end of this document): Paul Ashton’s work on the NTLM security holes, the encryption documentation from Samba, and network snooping. Since most of this info is reverse-engineered it is bound to contain errors; however, at least one client and one server have been implemented according to this data and work successfully in conjunction with M$’s browsers, proxies and servers.
Note that this scheme is not as secure as Digest and some other schemes; it is slightly better than the Basic authentication scheme, however.
Also note that this scheme is not an http authentication scheme – it’s a connection authentication scheme which happens to (mis-)use http status codes and headers (and even those incorrectly).
NTLM Handshake
When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place (only parts of the request and status line and the relevant headers are shown here; "C" is the client, "S" the server):
1: C --> S GET ...
2: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM
3: C --> S GET ...
Authorization: NTLM <base64-encoded type-1-message>
4: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded type-2-message>
5: C --> S GET ...
Authorization: NTLM <base64-encoded type-3-message>
6: C <-- S 200 Ok
Messages
The three messages sent in the handshake are binary structures. Each one is described below as a pseudo-C struct and in a memory layout diagram. byte is an 8-bit field; short is a 16-bit field. All fields are unsigned. Numbers are stored in little-endian order. Struct fields named zero contain all zeroes. An array length of "*" indicates a variable length field. Hexadecimal numbers and quoted characters in the comments of the struct indicate fixed values for the given field.
The field flags is presumed to contain flags, but their significance is unknown; the values given are just those found in the packet traces.
Type-1 Message
This message contains the host name and the NT domain name of the client.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x01
byte zero[3];
short flags; // 0xb203
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset (always 0x20)
byte zero[2];
byte host[*]; // host string (ASCII)
byte dom[*]; // domain string (ASCII)
} type-1-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 1 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0x03 | 0xb2 | 0 | 0 |
+-------+-------+-------+-------+
16: | domain length | domain length |
+-------+-------+-------+-------+
20: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
24: | host length | host length |
+-------+-------+-------+-------+
28: | host offset | 0 | 0 |
+-------+-------+-------+-------+
32: | host string |
+ +
. .
. .
+ +-----------------+
| | domain string |
+-------------+ +
. .
. .
+-------+-------+-------+-------+
The host and domain strings are ASCII (or possibly ISO-8859-1), are uppercased, and are not nul-terminated. The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM"). The offsets refer to the offset of the specific field within the message, and the lengths are the length of specified field. For example, in the above message host_off = 32 and dom_off = host_off + host_len. Note that the lengths are included twice (for some unfathomable reason).
Type-2 Message
This message contains the server’s NTLM challenge.
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x02
byte zero[7];
short msg_len; // 0x28
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte nonce[8]; // nonce
byte zero[8];
} type-2-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 2 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
16: | message len | 0 | 0 |
+-------+-------+-------+-------+
20: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
24: | |
+ server nonce |
28: | |
+-------+-------+-------+-------+
32: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
36: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
The nonce is used by the client to create the LanManager and NT responses (see Password Hashes). It is an array of 8 arbitrary bytes. The message length field contains the length of the complete message, which in this case is always 40.
Type-3 Message
This message contains the username, host name, NT domain name, and the two "responses".
struct {
byte protocol[8]; // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
byte type; // 0x03
byte zero[3];
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_len; // LanManager response length (always 0x18)
short lm_resp_off; // LanManager response offset
byte zero[2];
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_len; // NT response length (always 0x18)
short nt_resp_off; // NT response offset
byte zero[2];
short dom_len; // domain string length
short dom_len; // domain string length
short dom_off; // domain string offset (always 0x40)
byte zero[2];
short user_len; // username string length
short user_len; // username string length
short user_off; // username string offset
byte zero[2];
short host_len; // host string length
short host_len; // host string length
short host_off; // host string offset
byte zero[6];
short msg_len; // message length
byte zero[2];
short flags; // 0x8201
byte zero[2];
byte dom[*]; // domain string (unicode UTF-16LE)
byte user[*]; // username string (unicode UTF-16LE)
byte host[*]; // host string (unicode UTF-16LE)
byte lm_resp[*]; // LanManager response
byte nt_resp[*]; // NT response
} type-3-message
0 1 2 3
+-------+-------+-------+-------+
0: | 'N' | 'T' | 'L' | 'M' |
+-------+-------+-------+-------+
4: | 'S' | 'S' | 'P' | 0 |
+-------+-------+-------+-------+
8: | 3 | 0 | 0 | 0 |
+-------+-------+-------+-------+
12: | LM-resp len | LM-Resp len |
+-------+-------+-------+-------+
16: | LM-resp off | 0 | 0 |
+-------+-------+-------+-------+
20: | NT-resp len | NT-Resp len |
+-------+-------+-------+-------+
24: | NT-resp off | 0 | 0 |
+-------+-------+-------+-------+
28: | domain length | domain length |
+-------+-------+-------+-------+
32: | domain offset | 0 | 0 |
+-------+-------+-------+-------+
36: | user length | user length |
+-------+-------+-------+-------+
40: | user offset | 0 | 0 |
+-------+-------+-------+-------+
44: | host length | host length |
+-------+-------+-------+-------+
48: | host offset | 0 | 0 |
+-------+-------+-------+-------+
52: | 0 | 0 | 0 | 0 |
+-------+-------+-------+-------+
56: | message len | 0 | 0 |
+-------+-------+-------+-------+
60: | 0x01 | 0x82 | 0 | 0 |
+-------+-------+-------+-------+
64: | domain string |
+ +
. .
. .
+ +-------------------+
| | user string |
+-----------+ +
. .
. .
+ +-------------+
| | host string |
+-----------------+ +
. .
. .
+ +---------------------------+
| | LanManager-response |
+---+ +
. .
. .
+ +------------------+
| | NT-response |
+------------+ +
. .
. .
+-------+-------+-------+-------+
The host, domain, and username strings are in Unicode (UTF-16, little-endian) and are not nul-terminated; the host and domain names are in upper case. The lengths of the response strings are 24.
Password Hashes
To calculate the two response strings two password hashes are used: the LanManager password hash and the NT password hash. These are described in detail at the beginning of the Samba ENCRYPTION.html document. However, a few things are not clear (such as what the magic constant for the LanManager hash is), so here is some almost-C code which calculates the two responses. Inputs are passw and nonce, the results are in lm_resp and nt_resp.
/* setup LanManager password */
char lm_pw[14];
int len = strlen(passw);
if (len > 14) len = 14;
for (idx=0; idx<len; idx++)
lm_pw[idx] = toupper(passw[idx]);
for (; idx<14; idx++)
lm_pw[idx] = 0;
/* create LanManager hashed password */
unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
unsigned char lm_hpw[21];
des_key_schedule ks;
setup_des_key(lm_pw, ks);
des_ecb_encrypt(magic, lm_hpw, ks);
setup_des_key(lm_pw+7, ks);
des_ecb_encrypt(magic, lm_hpw+8, ks);
memset(lm_hpw+16, 0, 5);
/* create NT hashed password */
int len = strlen(passw);
char nt_pw[2*len];
for (idx=0; idx<len; idx++)
{
nt_pw[2*idx] = passw[idx];
nt_pw[2*idx+1] = 0;
}
unsigned char nt_hpw[21];
MD4_CTX context;
MD4Init(&context);
MD4Update(&context, nt_pw, 2*len);
MD4Final(nt_hpw, &context);
memset(nt_hpw+16, 0, 5);
/* create responses */
unsigned char lm_resp[24], nt_resp[24];
calc_resp(lm_hpw, nonce, lm_resp);
calc_resp(nt_hpw, nonce, nt_resp);
Helpers:
/*
* takes a 21 byte array and treats it as 3 56-bit DES keys. The
* 8 byte plaintext is encrypted with each key and the resulting 24
* bytes are stored in the results array.
*/
void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
{
des_key_schedule ks;
setup_des_key(keys, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) results, ks, DES_ENCRYPT);
setup_des_key(keys+7, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+8), ks, DES_ENCRYPT);
setup_des_key(keys+14, ks);
des_ecb_encrypt((des_cblock*) plaintext, (des_cblock*) (results+16), ks, DES_ENCRYPT);
}
/*
* turns a 56 bit key into the 64 bit, odd parity key and sets the key.
* The key schedule ks is also set.
*/
void setup_des_key(unsigned char key_56[], des_key_schedule ks)
{
des_cblock key;
key[0] = key_56[0];
key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
key[7] = (key_56[6] << 1) & 0xFF;
des_set_odd_parity(&key);
des_set_key(&key, ks);
}
Keeping the connection alive
As mentioned above, this scheme authenticates connections, not requests. This manifests itself in that the network connection must be kept alive during the second part of the handshake, i.e. between the receiving of the type-2 message from the server (step 4) and the sending of the type-3 message (step 5). Each time the connection is closed this second part (steps 3 through 6) must be repeated over the new connection (i.e. it’s not enough to just keep sending the last type-3 message). Also, once the connection is authenticated, the Authorization header need not be sent anymore while the connection stays open, no matter what resource is accessed.
For implementations wishing to work with M$’s software this means that they must make sure they use either HTTP/1.0 keep-alive’s or HTTP/1.1 persistent connections, and that they must be prepared to do the second part of the handshake each time the connection was closed and is reopened. Server implementations must also make sure that HTTP/1.0 responses contain a Content-length header (as otherwise the connection must be closed after the response), and that HTTP/1.1 responses either contain a Content-length header or use the chunked transfer encoding.
Example
Here is an actual example of all the messages. Assume the host name is "LightCity", the NT domain name is "Ursa-Minor", the username is "Zaphod", the password is "Beeblebrox", and the server sends the nonce "SrvNonce". Then the handshake is:
C -> S GET ...
S -> C 401 Unauthorized
WWW-Authenticate: NTLM
C -> S GET ...
Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
S -> C 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
C -> S GET ...
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
S -> C 200 Ok
and the unencoded messages are:
Type-1 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 01 00 00 00 03 b2 00 00 "NTLMSSP........." 10: 0a 00 0a 00 29 00 00 00 09 00 09 00 20 00 00 00 "....)....... ..." 20: 4c 49 47 48 54 43 49 54 59 55 52 53 41 2d 4d 49 "LIGHTCITYURSA-MI" 30: 4e 4f 52 "NOR"
Type-2 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 02 00 00 00 00 00 00 00 "NTLMSSP........." 10: 28 00 00 00 01 82 00 00 53 72 76 4e 6f 6e 63 65 "(.......SrvNonce" 20: 00 00 00 00 00 00 00 00 "........"
Type-3 Message:
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef 0: 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 "NTLMSSP........." 10: 72 00 00 00 18 00 18 00 8a 00 00 00 14 00 14 00 "r..............." 20: 40 00 00 00 0c 00 0c 00 54 00 00 00 12 00 12 00 "@.......T......." 30: 60 00 00 00 00 00 00 00 a2 00 00 00 01 82 00 00 "`..............." 40: 55 00 52 00 53 00 41 00 2d 00 4d 00 49 00 4e 00 "U.R.S.A.-.M.I.N." 50: 4f 00 52 00 5a 00 61 00 70 00 68 00 6f 00 64 00 "O.R.Z.a.p.h.o.d." 60: 4c 00 49 00 47 00 48 00 54 00 43 00 49 00 54 00 "L.I.G.H.T.C.I.T." 70: 59 00 ad 87 ca 6d ef e3 46 85 b9 c4 3c 47 7a 8c "Y....m..F...<Gz." 80: 42 d6 00 66 7d 68 92 e7 e8 97 e0 e0 0d e3 10 4a "B..f}h.........J" 90: 1b f2 05 3f 07 c7 dd a8 2d 3c 48 9a e9 89 e1 b0 "...?....-<H....." a0: 00 d3 ".."
For reference, the intermediate hashed passwords are:
- lm_hpw (LanManager hashed password):
- 91 90 16 f6 4e c7 b0 0b a2 35 02 8c a5 0c 7a 03 00 00 00 00 00
- nt_hpw (NT hashed password):
- 8c 1b 59 e3 2e 66 6d ad f1 75 74 5f ad 62 c1 33 00 00 00 00 00
Resources
LM authentication in SMB/CIFS - http://www.ubiqx.org/cifs/SMB.html#SMB.8.3
- A document on cracking NTLMv2 authentication
- http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
- Squid’s NLTM authentication project
- http://squid.sourceforge.net/ntlm/
- Encryption description for Samba
- http://de.samba.org/samba/ftp/docs/htmldocs/ENCRYPTION.html
- Info on the MSIE security hole
- http://oliver.efri.hr/~crv/security/bugs/NT/ie6.html
- FAQ: NT Cryptographic Password Attacks & Defences
- http://www.ntbugtraq.com/default.asp?sid=1&pid=47&aid=17
- M$’s hotfix to disable the sending of the LanManager response
- ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lm-fix
- A description of M$’s hotfix
- http://www.tryc.on.ca/archives/bugtraq/1997_3/0070.html
Acknowledgements
Special thanks to the following people who helped with the collection and debugging of the above information:
Okay, you got me. You can’t actually run IE6 (or IE7) on Windows 7 like you can with IE8, but it’s virtually possible using Windows XP Mode.
First off, your computer needs to contain a CPU with the Intel® Virtualization Technology or AMD-V™ feature turned on. Next, you need to download and install Windows Virtual PC and the Windows XP Mode Virtual Machine.
Note: As of today, Microsoft has yet to make the release versions of these products available. It will probably happen around the same time the release version of Windows 7 is available.
So far, all of the XP Mode documentation available states that an application must first be installed within the Windows XP Mode Virtual Machine before it can be launched as a Virtual Application under Windows 7, but luckily there is a quick way to work around this.
To allow IE to show up and run as a virtual application, you only need to add a shortcut for IE6 (just drag and drop in from the desktop) within the All Users Start Menu folder (c:\Documents and Settings\All Users\Start Menu\). With the shortcut added within the XP Mode VM, a new IE6 shortcut will now show up on your Windows 7 All Programs menu under Windows Virtual PC->Windows XP Mode Applications.
Now you can run IE8, as well as a down-level version of IE on Windows 7!
We started to take apart some the Windows XP Mode Links and have uncovered some interesting items.
The following is for the shortcut labeled “Windows XP Mode”
%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchDefaultVM
We then took a look at the link that was created when we placed a shortcut for Internet Explorer in c:\document and settings\all users\start menu.
%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchVMSal "Windows XP Mode" "||14c0ece8" "Internet Explorer"
Now we just need to figure out how to duplicate the the default XP Mode VM which is IE6 and create another option with a copy of the XP Mode VM that runs Internet Explore 7.0. Stay tuned, we think we may have figured this out, but need to perfect the write up.
The next section contains the tweaks, of course if you try this on your own we at IE8Blog assume NO risk for errors you may experience so be careful. We suspect that the following is most likely unsupported but hey what fun are computers if you do not tweak, mod, and take things apart.
As you can see from the screen shot IE6 and, IE7 are all running as XP Mode applications launched from the start menu of Windows 7. Of course IE8 is running natively on Windows 7. Sure there are two Virtual Machines running and sure it would be nice to have a true SIDE-BY-SIDE situation native on Windows 7 but this is what we have for now. If you are web developer this is a huge leap forward since the XP MODE VM is a free download. It is not always about rendering, you have the network layer and the various features of each browser in an pure state.
For now the trick was to clone the VHD in C:\Users\<username>\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines\ which happens to be a differencing disk. The parent disk is located at C:\Program Files\Windows XP Mode\Windows XP Mode base.vhd.
1. Copied the differencing disk over and renamed to Windows XP Mode – IE7.VHD
2. Cloned the short cut link that we created for Internet Explore and modified the link to Windows XP Mode – IE7.
%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\VMCPropertyHandler.dll,LaunchVMSal "Windows XP Mode – IE7" "||14c0ece8" "Internet Explorer"
3. Cloned the Windows XP Mode.vmcx to Windows XP Mode – IE7.vmcx and modified via notepad everything from Windows XP Mode to Windows XP Mode – IE7
We are sure there is a step that was left out some place but you get the idea for now. We at IE8Blog will refine the cloning procedures as needed. But the proof of concept to launch IE7 as a Application from the Windows 7 start menu is possible.
We need to learn more about VMCPropertyHandler.dll. A quick search on the internet turns up a few items but the following provided some useful insight.
Windows 7 Virtual PC Management
Link Back: http://www.slickit.ca/2009/05/windows-7-virtual-pc-management.html
UPDATE 10/20/2009:
It appears there is a bug introduced with MS09-054 which is the latest Internet Explorer Cumulative Security Update just released last Tuesday, Oct 13 2009. From the review the situation appears to be isolated to VBSCRIPT and only with very specific usage scenarios. Not sure about the rest of the world but we at IE8Blog gave on VBSCRIPT several years ago.
KB976749 You receive a VBScript "Type Mismatch" script error message in Internet Explorer after you install cumulative security update 974455
http://support.microsoft.com/kb/976749
A couple tests were run using the examples provided in the knowledge base article and it appears the issue involves MSHTML.DLL.
Hot off the security press Microsoft rev’s IE with the latest in security goodness.
Microsoft security updates for October 2009
http://www.microsoft.com/security/updates/bulletins/200910.aspx
Microsoft Security Bulletin MS09-054 – Critical
Cumulative Security Update for Internet Explorer (974455)
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
MS09-054: Cumulative security update for Internet Explorer
http://support.microsoft.com/kb/974455
Affected Software
|
Operating System |
Component |
Maximum Security Impact |
Aggregate Severity Rating |
Bulletins Replaced by This Update |
|
Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1 |
|
|
|
|
|
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
|
Microsoft Windows 2000 Service Pack 4 |
Remote Code Execution |
Critical |
||
|
Internet Explorer 6 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
|
Internet Explorer 7 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 with SP2 for Itanium-based Systems |
Remote Code Execution |
Critical |
||
|
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Internet Explorer 8 |
|
|
|
|
|
Windows XP Service Pack 2 and Windows XP Service Pack 3 |
Remote Code Execution |
Critical |
||
|
Windows XP Professional x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for 32-bit Systems* and Windows Server 2008 for 32-bit Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows Server 2008 for x64-based Systems* and Windows Server 2008 for x64-based Systems Service Pack 2* |
Remote Code Execution |
Critical |
||
|
Windows 7 for 32-bit Systems |
Remote Code Execution |
Critical |
None |
|
|
Windows 7 for x64-based Systems |
Remote Code Execution |
Critical |
None |
|
|
Windows Server 2008 R2 for x64-based Systems* |
Remote Code Execution |
Critical |
None |
|
|
Windows Server 2008 R2 for Itanium-based Systems |
Remote Code Execution |
Critical |
None |
By now it is common knowledge with those folks that are supporting Sharepoint/MOSS servers with clients that run Internet Explorer 8.0 on Windows XP or from Windows 2003 Terminal Services that Explorer View does not work over SSL (HTTPS).
Microsoft produced a fix for this problem, but of course you can not find anything publicly documenting the situation. Thanks to some of our corporate readers we found that one needs to request KB972584 by calling MSFT tech support. From what we can tell the only reason that this does not fail on Windows Vista, 2008 and we suspect Windows 7 is the HTTPS support added to the Web Client services. This situation is a big enough problem that we hope MSFT sends this out via one of the Internet Explorer Cumulative Security Updates soon.
There have also been comments about new windows opening when in Explorer View while navigating to sub folders of the document library when using IE8 provided with Windows 7. The rumor on the street is this is by design behavior and has something to do with the uncoupling of the browser from the OS shell whatever that means. With older versions of the operating system one navigated with the Explorer View in the primary document library window. At this point in time details on this new behavior (most likely undesired) is sketchy at best.
The new window situation reminds us of the Internet Explorer 7.0 FTP issue were you could not do the nice explorer folder view with in Internet Explorer and basically had to do all FTP connections from My Computer (aka Explorer). The FTP changes caused all kinds of headaches but like anything everyone got use to it or simply switched to a 3rd party FTP solution.
Stay tuned for updates.
Update: 10/20/2009
We found the Explorer View/Folder View situation covered in the KB for the latest Internet Explorer Cumulative Security Update. LB97445. http://support.microsoft.com/kb/974455
KB972584 You cannot use Explorer View on a SharePoint site in Internet Explorer 8 http://support.microsoft.com/kb/972584/
The article references the need for the registry value FEATURE_WEBFOLDER_DIRECTNAVIGATE_KB972584 is needed to enable the fix. It is unclear if this is still required or not if someone installs the MS09-054 update. Guess IEBLOG.com is going to need to validate as the article and the security KB are unclear what is needed. It does appear a fix was produced back in June 2009 based on the time stamps of the files in the article.
Update 10/22/2009: By default you do not need to add the FEATURE_WEBFOLDER_DIRECTNAVIGATE_KB972584 if you install the MS09-054 update (see http://www.ie8blog.com/2009/10/13/get-your-patch-on-ms09-054-974455/). Since we could not leave the situation alone we tried setting the registry value to 0×0 since KB972584 advised to set the value to 0×1 to enable the fix. To to our surprise we were able to restore the broken behavior. We only tried the tweak this since we have seen other registry entries similar to this one which a setting of 0×1 enabled the fix and 0×0 disabled the fix. Nice trick Microsoft..
Hi everyone!
Just a quick post to let you know of a new whitepapaer available from Microsoft that provides some web site troubleshooting guidance in regard to Internet Explorer.
The whitepaper can be downloaded from here:
http://code.msdn.microsoft.com/Project/Download/FileDownload.aspx?ProjectName=IE8&DownloadId=7167
So you like Internet Explorer but feel there might be some things missing, check out the Avant Browser (http://www.avantbrowser.com). Avant Browser is 100% based on the Internet Explorer engine and provides some interesting features not seen with the current version of IE or some of the other well known browsers.
There are little features that just make using Avant easy. For example File->Save Screen Image, Save Current Page as Image, Save selected region as Image. We will add further nugget features provided with the Avant Browser as we find them so check back later.
It should be noted that even the default Internet Explorer Zones feature is utilized so you do receive the added safety of zones.
Let us know your feedback about Avant Browser. We find this browser built around the Internet Explorer technology a nice alternative visually and some the extra features provided.
We bet that this guy has Internet Explorer, Firefox, Safari, Chrome, Avant, and other browsers all installed on the same machine. Most likely quotes RFC from memory and lives, eats, and sleeps all things Internet Explorer.
Head over and check out http://blogs.msdn.com/ieinternals/. There is some interesting information on this particular Microsoft blog.
It appears the owner of the blog is the same person that wrote the ever popular Fiddler http sniffer (http://www.fiddlertool.com)
If you have never used Fiddler before by all means check it out and learn how to use it. Regardless if you are an IT Pro or Developer this tool a must have.
We at IE8 Blog are fairly versed in the use of Fiddler but have found the proxy style hook to get in the way with certain sites, specifically some SSL situation are tripped up. When we can not get what we want from fiddler we switch over to another tool from Microsoft called STRACE.
STRACE is a socket/SSL tracer that is based on the "detours" utility. The tool has been specifically designed to generate LOG for Internet Explorer but it can be used with many other applications.
Using STRACE with Internet Explorer is equivalent to use a (non full) debug build of WININET.DLL to generate a WININET LOG. The STRACE LOG contains clear text HTTP traffic (with socket information) and encrypted/decrypted SSL data.From the STRACE LOG, you can "replay" a full navigation scenario using the HTTPREPLAY tool. This can be useful to reproduce a problem or browse web sites offline…
STRACE is a socket/SSL tracer designed to generate LOG for Internet Explorer
One of the coolest features we found for STRACE is replaying the log file generated with another tool called HTTPReplay which is another download from Microsoft.
HTTPREPLAY is a SOCKTRC plug-in allowing to analyze and replay HTTP traffic from STRACE or WININET log. You can use this tool to "replay a web server" without needing to setup IIS. The main goal of this tool is to help building a repro scenario when customer can’t provide one.
HTTPREPLAY is a SOCKTRC plugin allowing to analyze and replay HTTP traffic
Link to what appears to be the developer of HTTP Replay or at least knows more about the tool than anyone else. (http://blogs.msdn.com/emmanubo/archive/2008/04/02/improved-version-of-strace-and-httpreplay.aspx)
Stay tuned for tips and tricks on the use of Fiddler, STtrace, and HTTPReplay. Do not forget to bookmark the IEInternals blog link.