Block unknown file name extension types -- How to?

[Richard]

The MS05-016 bulletin says "Systems that block unknown file name
extension types or only allow known valid file name extension types
would be at a reduced risk from this vulnerability."

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types

I'm running WinXP-Pro/SP2

TIA

 

[Wesley Vogel]

"...through unregistered file name extension types."

Means that file extensions are not listed in your registry.

-- block unknown file name extension types

These are not listed in your registry and are considered unknown.

-- only allow known valid file name extension types

These are listed in your registry.

File types are listed in the registry here...
HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE\SOFTWARE\Classes

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Vanguard]

in message

"...through unregistered file name extension types."

Means that file extensions are not listed in your registry.


These are not listed in your registry and are considered unknown.

Actually all unknown types ARE listed in the registry - by providing a
default for them. Take a look at:

HKCR/*

That defines what action(s) to take on an unknown filetype. From what I
see in my registry, the only events defined under it specify a list of
possible applications to use but there is not one that is used by
default; i.e., they show a list and the user still has to select which
one to use.

Also read http://support.microsoft.com/kb/236014/en-us.

 

[Wesley Vogel]

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"

NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.

INFO: Shell Extensions for File Names with No File Extension
http://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.

Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.

HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown

<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.
If a subkey or entry appears in either location, it also appears in
HKEY_CLASSES_ROOT. If the values of entries in the two Classes subkeys
conflict, only the value in HKEY_CURRENT_USER\SOFTWARE\Classes appears in
HKEY_CLASSES_ROOT.
<quote>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2rkbook/regentry.mspx?mfr=true

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Richard]

Hi Wes,
The weirdest thing happened today. When I went to post a reply to you
today, Google Groups indicated that this thread had been deleted. I
started a new thread with the same name appended with "(2nd try)". A
post to that thread seemed to go OK. But when I came back after a
hiatus of a few hours, my new thread could not be found but this
thread had been resurrected. I guess someone's monitoring this
newsgroup and doing a good job, or it's a miracle. [After I posted
this response and got confirmation that it had been posted, I
returned to the thread from time to time and never saw this post. So,
here's another attempt. Hopefully, this doesn't lead to "double
posting".]

Anyway, thanks for your explanation about the terms used in the
MS05-016 bulletin.
In light of your responses, I spent some time poking around the
Registry over the past two weeks, but I don't see what I can do about
the two questions I originally asked:

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types
as suggested in the bulletin?

Perhaps we have to insert a filter in Windows' file-open mechanism
that inspects the filename and:
1. If the filename matches the regular expression "\.\w+$", using the
matching sting for a search of HKCR\'s top-level entries. If the
search fails, have the Windows fail the open attempt.
2. It the filename has no file extension, have the Windows fail the
open attempt unless that filename appears on some sort of "white
list."

That sounds way beyond the ken of most of us programmers. So, I think
I'm way off the mark here.
Any additional suggestions would be most appreciated.

Best wishes,
Richard

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"

NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.

INFO: Shell Extensions for File Names with No File Extensionhttp://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.

Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.

HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown

<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.
If a subkey or entry appears in either location, it also appears in
HKEY_CLASSES_ROOT. If the values of entries in the two Classes subkeys
conflict, only the value in HKEY_CURRENT_USER\SOFTWARE\Classes appears in
HKEY_CLASSES_ROOT.
<quote>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w...

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

in message

Actually all unknown types ARE listed in the registry - by providing a
default for them. Take a look at:

That defines what action(s) to take on an unknown filetype. From what I
see in my registry, the only events defined under it specify a list of
possible applications to use but there is not one that is used by
default; i.e., they show a list and the user still has to select which
one to use.

Also readhttp://support.microsoft.com/kb/236014/en-us.

 

[Richard]

Hi Wes,

The weirdest thing happened today. When I went to post a reply to you
today, Google Groups indicated that this thread had been deleted. I
started a new thread with the same name appended with "(2nd try)". A
post to that thread seemed to go OK. But when I came back after a
hiatus of a few hours, my new thread could not be found but this
thread had been resurrected. I guess someone's monitoring this
newsgroup and doing a good job, or it's a miracle.

Anyway, thanks for your explanation about the terms used in the
MS05-016 bulletin.

In light of your responses, I spent some time poking around the
Registry over the past two weeks, but I don't see what I can do about
the two questions I originally asked:

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types
as suggested in the bulletin?

Perhaps we have to insert a filter in Windows' file-open mechanism
that inspects the filename and:

1. If the filename matches the regular expression "\.\w+$", using the
matching sting for a search of HKCR\'s top-level entries. If the
search fails, have the Windows fail the open attempt.

2. It the filename has no file extension, have the Windows fail the
open attempt unless that filename appears on some sort of "white
list."

That sounds way beyond the ken of most of us programmers. So, I think
I'm way off the mark here.

Any additional suggestions would be most appreciated.

Best wishes,
Richard

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"

NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.

INFO: Shell Extensions for File Names with No File Extensionhttp://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.

Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.

HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown

<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.
If a subkey or entry appears in either location, it also appears in
HKEY_CLASSES_ROOT. If the values of entries in the two Classes subkeys
conflict, only the value in HKEY_CURRENT_USER\SOFTWARE\Classes appears in
HKEY_CLASSES_ROOT.
<quote>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w...

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

in message

Actually all unknown types ARE listed in the registry - by providing a
default for them. Take a look at:

That defines what action(s) to take on an unknown filetype. From what I
see in my registry, the only events defined under it specify a list of
possible applications to use but there is not one that is used by
default; i.e., they show a list and the user still has to select which
one to use.

Also readhttp://support.microsoft.com/kb/236014/en-us.

 

[Richard]

Hi Wes,

The weirdest thing happened today. When I went to post a reply to you
today, Google Groups indicated that this thread had been deleted. I
started a new thread with the same name appended with "(2nd try)". A
post to that thread seemed to go OK. But when I came back after a
hiatus of a few hours, my new thread could not be found but this
thread had been resurrected. I guess someone's monitoring this
newsgroup and doing a good job, or it's a miracle.

Anyway, thanks for your explanation about the terms used in the
MS05-016 bulletin.

In light of your responses, I spent some time poking around the
Registry over the past two weeks, but I don't see what I can do about
the two questions I originally asked:

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types
as suggested in the bulletin?

Perhaps we have to insert a filter in Windows' file-open mechanism
that inspects the filename and:

1. If the filename matches the regular expression "\.\w+$", using the
matching sting for a search of HKCR\'s top-level entries. If the
search fails, have the Windows fail the open attempt.

2. It the filename has no file extension, have the Windows fail the
open attempt unless that filename appears on some sort of "white
list."

That sounds way beyond the ken of most of us programmers. So, I think
I'm way off the mark here.

Any additional suggestions would be most appreciated.

Best wishes,
Richard

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"

NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.

INFO: Shell Extensions for File Names with No File Extensionhttp://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.

Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.

HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown

<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.
If a subkey or entry appears in either location, it also appears in
HKEY_CLASSES_ROOT. If the values of entries in the two Classes subkeys
conflict, only the value in HKEY_CURRENT_USER\SOFTWARE\Classes appears in
HKEY_CLASSES_ROOT.
<quote>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w...

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

in message

Actually all unknown types ARE listed in the registry - by providing a
default for them. Take a look at:

That defines what action(s) to take on an unknown filetype. From what I
see in my registry, the only events defined under it specify a list of
possible applications to use but there is not one that is used by
default; i.e., they show a list and the user still has to select which
one to use.

Also readhttp://support.microsoft.com/kb/236014/en-us.

 

[Newbie Coder]

Wes,

Not seeing the other post or if I dod I don't remember it

In XP, you have a safe list of file extensions you don't get the warning up
for & this is the list that MSN Messenger also uses. So, blocking it there
will in turn block you from sending via MSN... There are a few tools out
there one of which can be found here:

http://www.crouchie.net/downloads/msn_file_types.zip

Its obviously written for MSN, but will also deliver that annoying dialog
box to anyone trying to open that blocked extension, but you can just
right-click the file in XP & click the UNBLOCK button to add it to the safe
list again.

I know you can add filenames to the registry in which to block them, but I
don't know any other way than the above for extensions

For what you want to do there is always a couteract & that is this. The key
needs to be created if not in existance:

HKEY_CLASSES_ROOT\Unknown\shell\Open\Command

Then set the DEFAULT to "notepad.exe %1"

That way, you always open unknow file types in notepad which partially
defeats what you want to do

Sorry, that I cannot be of more help,

--
Newbie Coder
(It's just a name)

Hi Wes,

The weirdest thing happened today. When I went to post a reply to you
today, Google Groups indicated that this thread had been deleted. I
started a new thread with the same name appended with "(2nd try)". A
post to that thread seemed to go OK. But when I came back after a
hiatus of a few hours, my new thread could not be found but this
thread had been resurrected. I guess someone's monitoring this
newsgroup and doing a good job, or it's a miracle.

Anyway, thanks for your explanation about the terms used in the
MS05-016 bulletin.

In light of your responses, I spent some time poking around the
Registry over the past two weeks, but I don't see what I can do about
the two questions I originally asked:

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types
as suggested in the bulletin?

Perhaps we have to insert a filter in Windows' file-open mechanism
that inspects the filename and:

1. If the filename matches the regular expression "\.\w+$", using the
matching sting for a search of HKCR\'s top-level entries. If the
search fails, have the Windows fail the open attempt.

2. It the filename has no file extension, have the Windows fail the
open attempt unless that filename appears on some sort of "white
list."

That sounds way beyond the ken of most of us programmers. So, I think
I'm way off the mark here.

Any additional suggestions would be most appreciated.

Best wishes,
Richard

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"

NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.

INFO: Shell Extensions for File Names with No File Extensionhttp://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.

Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.

HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown

<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes.
If a subkey or entry appears in either location, it also appears in
HKEY_CLASSES_ROOT. If the values of entries in the two Classes subkeys
conflict, only the value in HKEY_CURRENT_USER\SOFTWARE\Classes appears in
HKEY_CLASSES_ROOT.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Richard]

Hi,

Thanks for your response!!

I know you can add filenames to the registry in which to block them,
but I don't know any other way than the above for extensions

For what you want to do there is always a counteract & that is this.
The key needs to be created if not in existence:
HKEY_CLASSES_ROOT\Unknown\shell\Open\Command

Then set the DEFAULT to "notepad.exe %1"
That way, you always open unknown file types in notepad which partially defeats what you want to do.

Cool! Here's what I tried unsuccessfully:

I ran Regedit:
1. Created key HKEY_CLASSES_ROOT\Unknown\shell\open\command
2. Modified the string value for that key to %SystemRoot%\notepad.exe
%1
3. Closed the registry editor

In K:\Temp:
1. I created and saved a TestCmd.bat file containing one line:
%SystemRoot%\notepad.exe %1

2. I created and saved a TestData.xxx file containing two lines:
Line 1
Line 2

In a new Command window, I executed the command:
K:\Temp>TestData.xxx
I got a MessageBox captioned "Windows" with the content:
Windows cannot open this file:
File: TestData.xxx
To open this file, Windows needs to know what program created
it. ...

In a Command window, I executed the command:
K:\Temp>TestCmd TestData.xxx

I got back nothing but the command prompt:
K:\Temp>
No Notepad window opened.

In the same window, I entered the command:
K:\Temp>%SystemRoot%\notepad.exe
and a Notepad window opened.

Can you spot where I went awry?

Best wishes,
Richard

Wes,

Not seeing the other post or if I dod I don't remember it

In XP, you have a safe list of file extensions you don't get the warning up
for & this is the list that MSN Messenger also uses. So, blocking it there
will in turn block you from sending via MSN... There are a few tools out
there one of which can be found here:

http://www.crouchie.net/downloads/msn_file_types.zip

Its obviously written for MSN, but will also deliver that annoying dialog
box to anyone trying to open that blocked extension, but you can just
right-click the file in XP & click the UNBLOCK button to add it to the safe
list again.

I know you can add filenames to the registry in which to block them, but I
don't know any other way than the above for extensions

For what you want to do there is always a couteract & that is this. The key
needs to be created if not in existance:

HKEY_CLASSES_ROOT\Unknown\shell\Open\Command

Then set the DEFAULT to "notepad.exe %1"

That way, you always open unknow file types in notepad which partially
defeats what you want to do

Sorry, that I cannot be of more help,

--
Newbie Coder
(It's just a name)

Hi Wes,

The weirdest thing happened today. When I went to post a reply to you
today, Google Groups indicated that this thread had been deleted. I
started a new thread with the same name appended with "(2nd try)". A
post to that thread seemed to go OK. But when I came back after a
hiatus of a few hours, my new thread could not be found but this
thread had been resurrected. I guess someone's monitoring this
newsgroup and doing a good job, or it's a miracle.

Anyway, thanks for your explanation about the terms used in the
MS05-016 bulletin.

In light of your responses, I spent some time poking around the
Registry over the past two weeks, but I don't see what I can do about
the two questions I originally asked:

How does one:
-- block unknown file name extension types
-- only allow known valid file name extension types
as suggested in the bulletin?

Perhaps we have to insert a filter in Windows' file-open mechanism
that inspects the filename and:

1. If the filename matches the regular expression "\.\w+$", using the
matching sting for a search of HKCR\'s top-level entries. If the
search fails, have the Windows fail the open attempt.

2. It the filename has no file extension, have the Windows fail the
open attempt unless that filename appears on some sort of "white
list."

That sounds way beyond the ken of most of us programmers. So, I think
I'm way off the mark here.

Any additional suggestions would be most appreciated.

Best wishes,
Richard

[HKEY_CLASSES_ROOT\.]
@="NoExtFile"
NoExtFile is for files that have NO file extension. Like the HOSTS file,
for example.
INFO: Shell Extensions for File Names with No File

Extensionhttp://support.microsoft.com/kb/236014

HKEY_CLASSES_ROOT\*
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
AlwaysShowExt if the Value Data is blank, files never show the

extension.

Windows Explorer never shows the .lnk or .url extension regardless of the
shell-wide setting for known (registered) file types. If you look in the
registry under HKEY_CLASSES_ROOT\lnkfile or
HKEY_CLASSES_ROOT\InternetShortcut, you'll find NeverShowExt REG_SZ entries.
The command prompt does show .lnk and .url, etc. extensions.
Explorer doesn't show extensions for ConferenceLink (cnf), Directory,
DocShortcut (shb), piffile (pif), SHCmdFile (scf) or ShellScrap (shs) files
either.
HKEY_CLASSES_ROOT\Unknown
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown
<quote>
The content of HKEY_CLASSES_ROOT comes from two sources:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes and

HKEY_CURRENT_USER\SOFTWARE\Classes.> > If a subkey or entry appears in either location, it also appears in

<quote>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w
...