Geoff Chappell - Software Analyst
DWORD AssocGetUrlAction (LPCWSTR pszAssoc);
The pszAssoc argument provides the address of a case-insensitive null-terminated string that describes the assocation to check.
The function returns one of the following URLACTION codes:
|URLACTION_SHELL_EXECUTE_HIGHRISK (0x1806)||the association presents a high risk|
|URLACTION_SHELL_EXECUTE_MODRISK (0x1807)||the association presents a moderate risk|
|URLACTION_SHELL_EXECUTE_LOWRISK (0x1808)||the association presents a low risk|
The function first attempts to determine the risk levels as set by administrative policy. Each of the following three values, which may each be in either of two keys (listed below in order of decreasing precedence), may supply a semicolon-delimited list of associations for its risk level:
The function examines each list, from high risk to low. If the given association is in one of these lists, the corresponding risk level is returned. If it is not in any of these lists, a default risk is established from another policy setting:
If this default risk evaluates as URLACTION_SHELL_EXECUTE_HIGHRISK, then this is returned. Otherwise, the function proceeds with finding a reason that the association presents a high risk even though it is not listed as such by policy.
The main defence is a hard-coded list of high-risk file extensions: .ade, .adp, .app, .asp, .bas, .bat, .cer, .chm, .cmd, .com, .cpl, .crt, .csh, .exe, .fxp, .grp, .hlp, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .mshxml, .msi, .msp, .mst, .ops, .pcd, .pif, .pl, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .tmp, .url, .vb, .vbe, .vbs, .vsmacros, .ws, .wsc, .wsf, .wsh.
If the string at pszAssoc is empty, or is just a period, or is any of the hard-coded extensions, or is the ProgID for any of these extensions, then the function returns that the association is high-risk. An association counts as the ProgID for an extension if it is the string data for the default value of the extension as a subkey of HKEY_CLASSES_ROOT.
The function also rules an association as high-risk if the FTA_AlwaysUnsafe bit (0x00020000) is set in the association’s EditFlags value.
If the function’s own information or its interpretation of registry data for shell assocations is not enough to decide whether the association is high-risk, the function asks the system. If the ADVAPI32 function SaferiIsExecutableFileType (whose details lie outside the scope of these notes) says that files of this type are executable, then the assocation is high-risk. Otherwise, the function returns the administrative default.
The AssocGetUrlAction function is exported from SHLWAPI.DLL as ordinal 561 in builds of version 6.00 from Windows XP SP2 and higher, from Windows Server 2003 SP1 and higher, and from Windows Vista and higher, and presumably in higher versions.
Though this function dates from 2004, it was still not documented by Microsoft in the January 2007 edition of the Software Development Kit (SDK) for Windows Vista.
The only practical merit of using AssocGetUrlAction instead of the documented AssocIsDangerous function is to obtain a finer gradation of low, medium or high, rather than high or not high.