The issue happens when the Internet Explorer browser tab process in unable to access the appropriate Low folder.
Internet Explorer when running in Protected Mode, runs each tab in a separate Low Mandatory Integrity Level process. Any process tagged as Low has a number of restrictions placed upon it, e.g.:
- limiting write access to only one folder on the hard drive (LocalLow)
- limiting write access to only one key in the registry (AppDataLow)
- blocks window and process hooking
- unable to create processes or remote threads
- cannot write to shared memory
- access running COM objects
- cannot access clipboard
- cannot open sockets
- cannot initiate RPC
- cannot send messages to other windows
The interesting restriction we care about is only able to write to specifically white-listed folders; folders marked with Low Mandatory Integrity Level.
An example of one of these folders is your LocalLow folder in:
C:\Users\Ian\AppData\Local
C:\Users\Ian\AppData\LocalLow
(low integrity level)C:\Users\Ian\AppData\Roaming
You can see the Low Mandatory Integrity Level tag applied to this folder by running icacls
from an elevated command prompt:
C:\Users\Ian\AppData>icacls LocalLow
LocalLow BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)
Successfully processed 1 files; Failed processing 0 files
The last entry:
Mandatory Label\Low Mandatory Level
indicates that this folder has the Low integrity level marker. This means that it is one of the few folders that a Low process is allowed to write to.
What does this have to do with Internet Explorer
In the case of Internet Explorer, there are a handful of other Low folders.
C:\Users\Ian\AppData\LocalLow
C:\Users\Ian\AppData\Local\Temp\Low
C:\Users\Ian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Ian\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Ian\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
When you use the F12 tools, Internet Explorer tries to access the IECompatUACache
folder. If the folder does not have the correct label, the iexplore.exe
process will get an ACCESS DENIED
error; causing it fail badly.
What can cause the Low Mandatory Label to have been lost from one of these folders or any of their subfolders? Perhaps you own an SSD, and tried to use Microsoft's supported feature of relocating your AppData
folder. The folder relocation feature fails pretty spectacularly at its one job of relocating a folder.
In order to reset the Mandatory Integrity Level Low label on the Low
folders around the computer, run:
icacls "D:\Users\Ian\AppData\LocalLow" /setintegritylevel low /T
icacls "D:\Users\Ian\AppData\Local\Temp\Low" /setintegritylevel low /T
icacls "D:\Users\Ian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low" /setintegritylevel low /T
icacls "D:\Users\Ian\AppData\Roaming\Microsoft\Windows\IECompatCache\Low" /setintegritylevel low /T
icacls "D:\Users\Ian\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low" /setintegritylevel low /T