EXE from HTML: Critcal patches broke ShellExecute method. What now?

Note: There is considerable background detail here, but I do have
three questions, which are clearly marked and appear right before the
sample code.
If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).


I have a legitimate need to launch an EXE from an HTML page on Windows
XP/Internet Explorer. The EXE is already locally installed, and the
HTML page is also viewed locally on the PC- it's not a web site. I
know of two ways to do this, both of which are featured in the sample
HTML file at the bottom of my post.

The first method, using the Shell.Application ActiveX Object, used to
work until I installed the latest critical Windows XP patches from
Microsoft. Before these patches were installed, you could click the
‘Launch Notepad.exe' button in my sample HTML file and the program
would start right up. (Note that my Internet security settings are
always at Medium, my Local intranet security settings are at
Medium-low, and I've never had to mess with the individual ActiveX
security settings to get this code to work.)

However, one of the following critical updates has broken the ‘Launch
Notepad' code. It doesn't matter what my Internet/intranet security
settings are, or whether I've enabled unsafe ActiveX scripting. My
list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
four computers running Windows XP SP-1 at my desk, and each has the
same version of Internet Explorer installed-
6.0.2800.1106.xpsp2.030422-1633. The Launch Notepad code stopped
working on two of them this week, and still worked on the other two.
As a test, I ran Windows Update on one of the working systems and
found that after the patches were applied, my code no longer worked. I
even restored that machine's pre-patched ghost image and confirmed
that the code worked again. Next, I ran Windows Update a second time,
and allowed the aforementioned patches to be installed. Again, it
broke my code.)

You can confirm whether you have these patches installed on your
machine a number of ways, but perhaps the easiest is to open your
Windows folder and look for ‘$NtUninstallKBxxxxxx' folders with names
matching the patches I listed.

And then there's the second method, used by the ‘Launch Regedit.exe'
button. While this will actually still launch the EXE file, it's
undesirable because it always prompts you with a dialog that starts
out "An ActiveX control on this page might be unsafe…" Note that this
even happened before the patches, again regardless of the
Internet/Local intranet security settings.

* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?

* QUESTION 2: Failing that, how can I get around the unsafe control
warning with the Wscript.Shell method, for a local HTML file that's
trying to launch a local EXE?

* QUESTION 3: Is there any OTHER way for an honest guy like me to
launch a local EXE from a local HTML file?

Thanks, and here's the sample HTML file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script type="text/javascript" language="JavaScript">

function LaunchNotepad()
{
var launcher = new ActiveXObject("Shell.Application");
launcher.ShellExecute("Notepad.exe", "", "", "open", "1");
}

function LaunchRegedit()
{
var launcher = new ActiveXObject("WScript.Shell");
launcher.Run("Regedit.exe");
}

</script>
</head>
<body>
<form name="Form1">
<input name="ButtonNotepad" value="Launch Notepad.exe"
onclick="LaunchNotepad()" type="button"> <br>
<br>
<input name="ButtonRegedit" value="Launch Regedit.exe"
onclick="LaunchRegedit()" type="button">
</form>
</body>
</html>

Note: There is considerable background detail here, but I do have
three questions, which are clearly marked and appear right before the
sample code.
If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).


I have a legitimate need to launch an EXE from an HTML page on Windows
XP/Internet Explorer. The EXE is already locally installed, and the
HTML page is also viewed locally on the PC- it's not a web site. I
know of two ways to do this, both of which are featured in the sample
HTML file at the bottom of my post.

The first method, using the Shell.Application ActiveX Object, used to
work until I installed the latest critical Windows XP patches from
Microsoft. Before these patches were installed, you could click the
‘Launch Notepad.exe' button in my sample HTML file and the program
would start right up. (Note that my Internet security settings are
always at Medium, my Local intranet security settings are at
Medium-low, and I've never had to mess with the individual ActiveX
security settings to get this code to work.)

However, one of the following critical updates has broken the ‘Launch
Notepad' code. It doesn't matter what my Internet/intranet security
settings are, or whether I've enabled unsafe ActiveX scripting. My
list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
four computers running Windows XP SP-1 at my desk, and each has the
same version of Internet Explorer installed-
6.0.2800.1106.xpsp2.030422-1633. The Launch Notepad code stopped
working on two of them this week, and still worked on the other two.
As a test, I ran Windows Update on one of the working systems and
found that after the patches were applied, my code no longer worked. I
even restored that machine's pre-patched ghost image and confirmed
that the code worked again. Next, I ran Windows Update a second time,
and allowed the aforementioned patches to be installed. Again, it
broke my code.)

You can confirm whether you have these patches installed on your
machine a number of ways, but perhaps the easiest is to open your
Windows folder and look for ‘$NtUninstallKBxxxxxx' folders with names
matching the patches I listed.

And then there's the second method, used by the ‘Launch Regedit.exe'
button. While this will actually still launch the EXE file, it's
undesirable because it always prompts you with a dialog that starts
out "An ActiveX control on this page might be unsafe…" Note that this
even happened before the patches, again regardless of the
Internet/Local intranet security settings.

* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?

* QUESTION 2: Failing that, how can I get around the unsafe control
warning with the Wscript.Shell method, for a local HTML file that's
trying to launch a local EXE?

* QUESTION 3: Is there any OTHER way for an honest guy like me to
launch a local EXE from a local HTML file?

Thanks, and here's the sample HTML file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script type="text/javascript" language="JavaScript">

function LaunchNotepad()
{
var launcher = new ActiveXObject("Shell.Application");
launcher.ShellExecute("Notepad.exe", "", "", "open", "1");
}

function LaunchRegedit()
{
var launcher = new ActiveXObject("WScript.Shell");
launcher.Run("Regedit.exe");
}

</script>
</head>
<body>
<form name="Form1">
<input name="ButtonNotepad" value="Launch Notepad.exe"
onclick="LaunchNotepad()" type="button"> <br>
<br>
<input name="ButtonRegedit" value="Launch Regedit.exe"
onclick="LaunchRegedit()" type="button">
</form>
</body>
</html>

Note: There is considerable background detail here, but I do have
three questions, which are clearly marked and appear right before the
sample code.
If you're running IE5.5 or better, try changing the file extension of
your "web" page to .hta (HyperText Application) -- which can be used to
turn IE into an application "shell". HTA's are automatically afforded
security permissions that should allow you to manipulate your system any
way you like (without certs, etc...).

I have a legitimate need to launch an EXE from an HTML page on Windows
XP/Internet Explorer. The EXE is already locally installed, and the
HTML page is also viewed locally on the PC- it's not a web site. I
know of two ways to do this, both of which are featured in the sample
HTML file at the bottom of my post.

The first method, using the Shell.Application ActiveX Object, used to
work until I installed the latest critical Windows XP patches from
Microsoft. Before these patches were installed, you could click the
‘Launch Notepad.exe' button in my sample HTML file and the program
would start right up. (Note that my Internet security settings are
always at Medium, my Local intranet security settings are at
Medium-low, and I've never had to mess with the individual ActiveX
security settings to get this code to work.)

However, one of the following critical updates has broken the ‘Launch
Notepad' code. It doesn't matter what my Internet/intranet security
settings are, or whether I've enabled unsafe ActiveX scripting. My
list of suspects is: KB842773, KB840315, KB841873, KB839645. (I have
four computers running Windows XP SP-1 at my desk, and each has the
same version of Internet Explorer installed-
6.0.2800.1106.xpsp2.030422-1633. The Launch Notepad code stopped
working on two of them this week, and still worked on the other two.
As a test, I ran Windows Update on one of the working systems and
found that after the patches were applied, my code no longer worked. I
even restored that machine's pre-patched ghost image and confirmed
that the code worked again. Next, I ran Windows Update a second time,
and allowed the aforementioned patches to be installed. Again, it
broke my code.)

You can confirm whether you have these patches installed on your
machine a number of ways, but perhaps the easiest is to open your
Windows folder and look for ‘$NtUninstallKBxxxxxx' folders with names
matching the patches I listed.

And then there's the second method, used by the ‘Launch Regedit.exe'
button. While this will actually still launch the EXE file, it's
undesirable because it always prompts you with a dialog that starts
out "An ActiveX control on this page might be unsafe…" Note that this
even happened before the patches, again regardless of the
Internet/Local intranet security settings.

* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?

* QUESTION 2: Failing that, how can I get around the unsafe control
warning with the Wscript.Shell method, for a local HTML file that's
trying to launch a local EXE?

* QUESTION 3: Is there any OTHER way for an honest guy like me to
launch a local EXE from a local HTML file?

Thanks, and here's the sample HTML file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script type="text/javascript" language="JavaScript">

function LaunchNotepad()
{
var launcher = new ActiveXObject("Shell.Application");
launcher.ShellExecute("Notepad.exe", "", "", "open", "1");
}

function LaunchRegedit()
{
var launcher = new ActiveXObject("WScript.Shell");
launcher.Run("Regedit.exe");
}

</script>
</head>
<body>
<form name="Form1">
<input name="ButtonNotepad" value="Launch Notepad.exe"
onclick="LaunchNotepad()" type="button"> <br>
<br>
<input name="ButtonRegedit" value="Launch Regedit.exe"
onclick="LaunchRegedit()" type="button">
</form>
</body>
</html>

The first method, using the Shell.Application ActiveX Object, used to
work until I installed the latest critical Windows XP patches from
Microsoft. Before these patches were installed, you could click the
‘Launch Notepad.exe' button in my sample HTML file and the program
would start right up. (Note that my Internet security settings are
always at Medium, my Local intranet security settings are at
Medium-low, and I've never had to mess with the individual ActiveX
security settings to get this code to work.)
Your code will work, if loaded in IE from a page located on either your
own hard drive, or a network resource (such as a network drive). Both of
these are considered the Local Computer zone and allow the code to work
properly. It will/should never automatically launch an executable if the
page is located on an HTTP/HTTPS server (assuming default security
settings).
* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?
No, that's obviously the point of the patch(es).
* QUESTION 2: Failing that, how can I get around the unsafe control
warning with the Wscript.Shell method, for a local HTML file that's
trying to launch a local EXE?
You can't without changing your default security settings, or adding the
site you are loading the page from to your list of Trusted Sites.
* QUESTION 3: Is there any OTHER way for an honest guy like me to
launch a local EXE from a local HTML file?

* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?

ma**************@yahoo.com (Josh Mayfield) wrote in message news:<92**************************@posting.google. com>...

* QUESTION 1: Is there any way to get ShellExecute to work again once
the new critical updates are installed?

Thanks to Fox for the tip about changing the file extension to .HTA.
This indeed worked (for both of my launching methods). Unfortunately,
I was unable to use it because my HTM files are hosted by a shell EXE
that was developed by another team and is hardcoded to load a specific
HTM file (which is the one I needed to change).

Additional thanks to Joker, for explaining that the patches affected a
different security zone from the ones I was messing with. I have
looked into this and found that it is called the "My Computer Zone"
and it's the only one that's not configurable in the Internet Options
UI. (Which completely baffles me.)

I located the My Computer Zone's registry key, which is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\Zones\0]

And was able to tweak the settings there. Now both of my launching
methods work without popping up any annoying warnings, and without
requiring a filename change.

Thanks to all for getting this started. YES - there are reasons to
execute an EXE from an HTML page that have nothing to do with
vandalizing someones computer.

[snip "I Love You" misunderstanding]

There's a MILLION legitimate reasons to want to launch an exe without
having to get additional security warnings.

Thanks to all for getting this started. YES - there are reasons to
execute an EXE from an HTML page that have nothing to do with
vandalizing someones computer.
Yes but how is the user to tell that he can/should trust you? And how is
the user to tell that you are you?
While it is obvious that en EXE should not be launched by the browser
without confirmation
No, it's called security!
- it is just as sensible to provide for an "Always allow THIS file to
run" option.
And how is the user to know/trust "this file"? And why wouldn't a hacker
attack exactly that privilege and pretend to be "this file" or "this
site"? And what if the hacker hacks the site and places his favorite
virus in "this file"?
The lack of options like that were the root cause for the I LOVE YOU
virus's vigor.
Ignorance! True ignorance! The "I Love You" virus came in email, not the
web, as an attachment that users opened up and where *not* given an
confirmation such as "Are you sure you want to run this?".
I will explain that: The ILY bug LOOKED like a TXT file - clicking on
it launched a window that end-users had been seeing for over a year on
TXT files, stupidly warning them that a harmless file might be harmful.
Clicking on txt files simply displays them. If it "looked" like a txt
file then it shouldn't have launched any window. If it looked like a txt
file and launched a window then that's a real good sign that it is not a
txt file and the warning should be heeded.
The inability to stop the warnings led to the lack of attention on the
end-users part that fuled the spread of the virus.
Huh? You're attempting to say that warning the user of a possible virus
invocation causes the virus to spread!?! Amazing! So you're solution is
to not warn the user so that what? The virus can spread faster?!?
I am careful and diligent - I am not ignorant about my computer's
weaknesses.
The computer's weakness is often it's owner.
A few weeks ago I clicked on continue on a file that I was 99%
positive was malware. WHy? Because I am so friggin programmed to click
that damn OK button when I dl things.
Bingo! Perhaps it's the MS mentality of "attach everything and have
everything attached run a separate program requiring the user to double
click just about everything in the normal course of doing their work"
that may make you programmed but it doesn't make me programmed. Oh yeah
I get the email messages that simply say see the attached Word/Excel/etc
document that contains content that could just as easily simply be
expressed in the email message itself. When I encounter such things I do
stop and think. Of course now I'm in the situation where I must open the
attachment but I've already thought about it and decided, based on the
sender (is it somebody I know, say from work, where I should open this
attachment), to open the attachment and read it. After reading it, if it
is one of those things that could have been as easily simply put in the
email message I respond and tell them "Hey why the doc file? Why not
simply write it directly into the email?" - but I guess I'm just like that.
I SHOULD have the right to specify which locations are NEVER to be
questioned.
I believe in many instances, and with MS insecure applications, you can.
You may need to configure it. But please allow security to be the rule
since there are so many people like you who ruin it for everybody else.
Yep, some dummy is going to enable the ip range between 1.0.0.1 and
254.255.255.254 but that's HIS problem.
No, it becomes *our* problem as they open attachments and click on exe's
on web sites, run the contain virii which then takes over their computer
and spreads the virii to *other* computers such as ours!
There's a MILLION legitimate reasons to want to launch an exe without
having to get additional security warnings.
The additional security warning is but a second or two of the end user's
time. Compare that with the millions of illegitimate reasons that
hackers and other such crooks have to launch an exe without security and
you should be able to see that the trade off is minimal.
Here's another promissing approach:

http://www.whirlywiryweb.com/q/launchinie.asp
Yet another IE only Active/X insecure control! Geeze, guess they never
learn...
The HTA thing works <sort of> for me - but I am trying to make a
custom interface using DHTML menu builder and I am not sure how to
pluc the JS codes you posted into my pull-down HTML pages