Vista Forums - View Single Post - Re: Default view of folders reverts back to previous settings.

04-07-2007

On Wed, 4 Apr 2007 02:11:55 -0500, "Keith Miller MVP"
>"cquirke (MVP Windows shell/user)" wrote
>> On Mon, 2 Apr 2007 10:46:13 -0500, "Keith Miller MVP"
>>>"cquirke (MVP Windows shell/user)"

>>>'HKCU\Software\Classes\Local
>>>Settings\Software\Microsoft\Windows\Shell\BagMRU'

>> I can't find that in XP SP2 but similar in
>> HKLM\Software\Microsoft\Windows\Shell etc.
>
>In XP, the equivalent key is:
>
>"HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU"

OK, thanks; got it...

>> Tell me more about these templates... in the IE4 era, we had
>> Desktop.ini pointing to *.htt files that allowed HTML scripting to be
>> bound to locations, in ways amenable to malware use - so that every
>> full-shared location was potentially a malware drop-and-run point.

>When I say template, I'm refering to the choices that appear on the
>'Customize' tab: 'All Items', 'Documents', etc. These govern the tasks
>offered, default icon style, & default columns selected, etc. Nothing so
>advanced as retaining HTML malware

That's good. WinME let you slam the door on "View As Web Page", but
XP and Vista no longer have such an option, and yet have suspiciously
detailed and lavish possible views. It wasn't at all clear wether
this was using Folder.htt etc. but with no safety catch anymore.

>> Are these newer OSs cluefull enough to suppress "Web Page" scripts, or
>> dumb enough to integrate these with no option to disable them?
>
>They're suppressed by default in XP, but could be activated:
>
>http://support.microsoft.com/kb/819028/

OK, good that they're suppressd by default.

>> Are there other opportunities to edit a Desktop.ini so as to invoke
>> code; say, via a CLSID? Let's leave aside pointing to a "specially
>> crafted" .ICO using the .ANI exploit for now.

>There was under XP, but it was disabled by default in one of the updates,
>but can reactived via a policy setting. Haven't checked under Vista -- I
>assume it's at least disabled by default if not completely unavailable.

OK, that's good.

>------------ ----- ---- --- -- - - - -
Our senses are our UI to reality
>------------ ----- ---- --- -- - - - -

04-07-2007	#5 (permalink)
cquirke (MVP Windows shell/user) Guest Posts: n/a	Re: Default view of folders reverts back to previous settings. On Wed, 4 Apr 2007 02:11:55 -0500, "Keith Miller MVP" >"cquirke (MVP Windows shell/user)" wrote >> On Mon, 2 Apr 2007 10:46:13 -0500, "Keith Miller MVP" >>>"cquirke (MVP Windows shell/user)" >>>'HKCU\Software\Classes\Local >>>Settings\Software\Microsoft\Windows\Shell\BagMRU' >> I can't find that in XP SP2 but similar in >> HKLM\Software\Microsoft\Windows\Shell etc. > >In XP, the equivalent key is: > >"HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU" OK, thanks; got it... >> Tell me more about these templates... in the IE4 era, we had >> Desktop.ini pointing to *.htt files that allowed HTML scripting to be >> bound to locations, in ways amenable to malware use - so that every >> full-shared location was potentially a malware drop-and-run point. >When I say template, I'm refering to the choices that appear on the >'Customize' tab: 'All Items', 'Documents', etc. These govern the tasks >offered, default icon style, & default columns selected, etc. Nothing so >advanced as retaining HTML malware That's good. WinME let you slam the door on "View As Web Page", but XP and Vista no longer have such an option, and yet have suspiciously detailed and lavish possible views. It wasn't at all clear wether this was using Folder.htt etc. but with no safety catch anymore. >> Are these newer OSs cluefull enough to suppress "Web Page" scripts, or >> dumb enough to integrate these with no option to disable them? > >They're suppressed by default in XP, but could be activated: > >http://support.microsoft.com/kb/819028/ OK, good that they're suppressd by default. >> Are there other opportunities to edit a Desktop.ini so as to invoke >> code; say, via a CLSID? Let's leave aside pointing to a "specially >> crafted" .ICO using the .ANI exploit for now. >There was under XP, but it was disabled by default in one of the updates, >but can reactived via a policy setting. Haven't checked under Vista -- I >assume it's at least disabled by default if not completely unavailable. OK, that's good. >------------ ----- ---- --- -- - - - - Our senses are our UI to reality >------------ ----- ---- --- -- - - - -
cquirke (MVP Windows shell/user) Guest Posts: n/a