What permissions are needed to install and update an ActiveX control?

We are developing a web-based point-of-sale application, which, while it mostly runs in a browser, also requires integration with hardware devices such as credit card readers. In order to provide hardware integration, we have implemented several simple ActiveX controls in C++ using ATL.

We are not experienced Windows developers, and are having difficulty understanding the installation process and security model for ActiveX controls. Obviously, this is a prerequisite to our users actually being able to run our application. :)

We are trying to determine what are the finest-grained and most restrictive set of permissions required for a typical unprivileged user (non-admin, non-power user) to install and update a particular ActiveX control (as opposed to any ActiveX control) from a signed .cab file served over HTTP as part of a web application. We need to know this for XP (SP2+) & IE6, as well as for more recent OS/browser combinations. We want this information so we can help our IT staff properly configure the machines on which the software will run.

We have done quite a lot of digging on the internet, and have not been able to find adequate documentation. We have also talked with some folks at Microsoft, who also could not provide us with the information we need.

Using the Sysinternals process monitor and some trial and error, we have been able to determine that the following registry permissions are sufficient to enable an unprivileged user to be prompted to install an ActiveX control on XP SP2 / IE6 (i.e. the user will see a the yellow bar at the top of IE saying "This site wants to install some software"):

  • HKLM\Software\Microsoft\Tracing (key only, create subkey permission)
  • HKLM\Software\Microsoft\Code Store Database (key only, create subkey permission)

The process of actually installing the control is much more complicated, and we haven't made much progress in sorting it out, beyond a general awareness that the user will need to write to C:\windows\downloaded program files\ and HKLM\Software\Microsoft\Code Store Database\Distribution Units\{guid}

(We are investigating the capability of Vista and Windows 7 to install ActiveX controls as an unprivileged user, but we need to support XP as well. We are also considering adopting AIR 2 as our platform, which provides native code integration, but that also doesn't address our immediate needs.)

13.10.2009 23:45:55

It has been many, many, moons since I've had to be concerned with developing ActiveX controls embedded in a web page for a commercial product.

Kudo's to you and your team for doing things the right way. I've seen too many commercial, web based, applications force enterprises to lower the security requirements of Internet Explorer because they couldn't take the time to properly package their application.

The basic premise that I remember was that you had to implement at least one specific interface, IObjectSafety, add a couple of specific component category ids during component registration, and sign your .cab with a certificate from a trusted CA such as Verisign.

Check out:

If that doesn't work, try go get a hold of your local Microsoft Developer Evangelist to help point you in the right direction.

If you have a Microsoft Support Contract, then contact your Technical Account Manager (TAM) or Application Developer Consultant (ADC) for additional help.

Good Luck,


14.10.2009 03:52:01