Re: Workarounds that kill Active-X controls.

In microsoft.public.win2000.registry Jim Nugent wrote:

I'm reposting this, crossposting and with f/u set to,
microsoft.public.win2000.registry...

In news:uIbsKeL5GHA.2288@xxxxxxxxxxxxxxxxxxxx,
Jim Nugent <njim2k-nntp@xxxxxxxxx> wrote:
So far, I believe we've been advised of two security
workarounds the involve setting the kill bit for 3 controls.
After the patch comes out, presumably these controls could be
re-enabled. If I apply the .reg file printed in the article, it
"slam dunks" 0x400 into the appropriate values for
Compatibility Flags. My question is what if some bits were
already set? Should I be checking before hand and or'ing the
0x400 bit into the DWORD?

Making a Full Registry Backup in advance would be *good*!
Short of that an Export saved for reference would be also be
useful.

Both the REG files I have seen and I believe the dedicated EXE
tools for this "set a kill bit" ignore the possibility of an
existing Compatibility Flag value might be present. Not so good.


ISTR an article that explains what each bit does, but I can't
seem to find it now.

I don't have that one, but may have seen it once. Let's see if
another posts a link.

Any help would be appreciated. I'm collecting .reg files that
have been applied, but their reversal would appear to be
removing the key for that control. Does that make sense?

Not necessary. Just remove the "Compatibility Flags" Value. OR,
revert the value's data to the preexisting one, if appropriate.
The key itself can be removed in the case it did not previously
exist of course. Not entirely certain if "empty" Keys there
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\
serve a purpose so tread lightly.

One might write a batch file using REG.EXE to accomplish
search for existing value and save it
create/apply "kill bit" changes
==== demo data only ==(wrapped)=====
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{D7A7D7C3-D47F-11D0-89
D3-00A0C90833E6}
Compatibility Flags REG_DWORD 0x400
_oldValue REG_DWORD 0x20
========================

I should mention a GUI tool: Nirsoft's ACM (ActiveX Compatibility
Manager) (free) nirsoft.net
This tool does _not_ save existing Compatibility Flags data when
"disable" is selected. Also has a limited CLI usage.

I feel it necessary to mention also that this and the recent
"unregister vgx.dll" need to be undertaken using Administrator
Group authority as do most system administration actions. Yes,
some have tried from a "limited account", and failed.

.

Relevant Pages

  • Workarounds that kill Active-X controls.
    ... setting the kill bit for 3 controls. ... After the patch comes out, ... If I apply the .reg file printed in the ...
    (microsoft.public.win2000.security)
  • RE: ActiveX controls fail to load
    ... The kill bit is often used to block malicious or maliciously used activeX ... > controls have failed to load. ... > office.microsoft.com as a trusted site without server verification; ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Killing a process...
    ... What permission or attribute controls whether a process can be manually ... I used to be able to kill ... server... ...
    (microsoft.public.dotnet.security)
  • Re: Windows Update KB960715 blocks MSFLXGRD.OCX!!!!! Any solution
    ... unfortunately controls can not be used as soon as this kill bit is set. ... Just removing 400 value ... It's becoming a big problem... ...
    (microsoft.public.vb.general.discussion)