Applying Activation Security

The following table outlines how activation security is applied to requests to the Service Control Manager.

Request

Action

CoGetClassObject or CoCreateInstance of a non-running class X

Check HKLM\Software\Network OLE\Enabled. Fail the request if zero.

Check HKCU\Software\Network OLE\Enabled. Fail the request if zero.

If class is registered in HKCR, follow HKCR\CLSID\{ . . . }\FindActivationSecurityAt = { . . . } until an HKCR\CLSID\{ . . . }\ActivationSecurity key is found. If these keys do not exist, use HKCU\Software\Network OLE\Default Activation Security. Check the request against the security on this key.

Otherwise, if class is registered in HKCC, follow HKCC\CLSID\{ . . . }\FindActivationSecurityAt = { . . . } until an HKCC\CLSID\{ . . . }\ActivationSecurity key is found. If these keys do not exist, use HKLM\Software\Network OLE\Default Activation Security. Check the request against the security on this key.

CoGetClassObject or CoCreateInstance of a running class Y

Check HKLM\Software\Network OLE\Enabled. Fail the request if zero.

Check HKCU\Software\Network OLE\Enabled. Fail the request if zero.

Check the request against the SECURITY_DESCRIPTOR available from CoRegisterClassObject(CLSID_Y, . . . ). This will be either the value returned by the class object's IactivationSecurity::GetSecurityDescriptor at the time of CoRegisterClassObject or will have been taken from HKCU\Software\Network OLE\DefaultActivationSecurity or HKLM\Software\Network OLE\DefaultActivationSecurity at the time of CoRegisterClassObject if the class object did not support IActivationSecurity.

Running Object Table

Check HKLM\Software\Network OLE\Enabled. Fail the request if zero.

Check HKCU\Software\Network OLE\Enabled. Fail the request if zero.

Before performing any operation against a ROT entry (i.e., IRunningObjectTable::Revoke, IRunningObjectTable::IsRunning, IRunningObjectTable::GetObject, IRunningObjectTable::NoteTimeChange, IRunningObjectTable::GetTimeOfLastChange, or when including an entry in an IEnumMoniker::Next of an IEnumMoniker returned from IRunningObjectTable::EnumRunning), check the call against the SECURITY_DESCRIPTOR available from IrunningObjectTable::Register. This will be either the value returned by the object's IActivationSecurity::GetSecurityDescriptor at the time of IRunningObjectTable::Register or will have been taken from HKCU\Software\Network OLE\DefaultROTSecurity or HKLM\Software\Network OLE\DefaultROTSecurity at the time of IRunningObjectTable::Register if the object did not support IActivationSecurity.