SetUserFTA: UserChoice Hash defeated – Set File Type Associations per User or Group on Windows 8/10 and 2012/2016

hey, its me again – bringing back a functionality that was removed from microsoft since Windows 2012 (or Windows 8), yay. this is not the first time that im coding a tool to recreate a missing feature that was working in older Windows versions (check my blog for volume.exe).

UPDATE 17.06.2018: Version 1.6 adds support for protocols (except http and https) on build 1607 and lower
UPDATE 14.12.2017:
Version 1.5 adds support for Windows 8.x and Server 2012/R2
UPDATE 10.12.2017:
Version 1.4 adds support for protocols like mailto, https, etc. (only for 1703 and up)
UPDATE 26.11.2017: Version 1.3 can now set multiple file type associations based on a config file.
UPDATE 04.11.2017: Version 1.2 completely rewritten in C to avoid AV false positives.
UPDATE 29.10.2017: Version 1.1.1 includes small changes due AV false positive detections.
UPDATE 28.10.2017: Version 1.1 can now check for Group Memberships.

SetUserFTA sets User File Type Associations per command line or script on Windows 8/10 and Server 2012/2016.

the story:

recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!

i will just quote microsoft on this issue (or feature?):

In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.

Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:

you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.

the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.

but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?

<TL><DR>

a filetype is protected by a hash in the user registry – for example:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice\Hash

if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.

SetUserFTA generates this secret hash for a supplied extension.

</TL></DR>

details about the hash:

i don’t want to disclose too much about the hash, because Microsoft probably will not like that. but i can tell you, that anyone with reverse engineering knowhow can discover it rather quickly. it took me about a day to find it and to get an idea about how it works. to code the SetUserFTA.exe it took me more time – but that is because of the coding language i’ve used.

however – i will show you some pseudocode about the hash-generation. since it is about filetypes, it obviously includes details about the filetype. here is a structure that illustrates the string that is being hashed:

extension = “.txt”; the file extension
sid = “S-1-5-21-463486358-3398762107-1964875780-1001” ; the SID of the current user
progid = “txtfile”; the ProgId of the desired association
regdate = “01d3442a29887400”; timestamp of the UserChoice registry key
experience = “a microsoft secret string”; a static string (this is a dummy example, not the real string)

this includes a funny detail – regdate is the timestamp of the UserChoice key in the registry. i didn’t even know that registry keys have timestamps and as soon you modify the key, it will change the timestamp and the hash is not correct anymore.

beside of that, a user has the deny SetValue ACL set and as soon you give yourself full access, the timestamp will change too. that part was quite creative, but the rest of the hash generation was pretty straight forward and surprisingly easy.

consider these functions:

toLower() – converts uppercase characters to lowercase

MD5() – the normal MD5 hashing function (huh? why? its not even secure anymore)

MicrosoftHash() – the secret Microsoft hash reduction code (yes, you have read right – hash reduction)

Base64() – plain simple base64 encoding

to generate a valid hash, i had to do following:

  • get the timestamp of the UserChoice registry key
  • fill a buffer with the correct values (extension, SID, ProgId, timestamp, static string)
  • hash and encode this buffer like this:

Base64(MicrosoftHash(MD5(toLower(extension, sid, progid, regdate, experience))));

and that was it. very secure and top secret. </sarcasm> hash reduction? really? the MicrosoftHash() code takes 128bit as input and returns a 64bit result. what the …?

how to use SetUserFTA:

i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:

SetUserFTA.exe extension progid (optional:Groupname)

or

SetUserFTA.exe configfile

Example:

SetUserFTA.exe .pdf AcroExch.Document.DC

this will associate .pdf file with Acrobat Reader for the current user.

SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”

this will associate .pdf files with Acrobat Reader only if the current user is member of the “Adobe Acrobat Users” group. if the group contains spaces, you must use quotes.

SetUserFTA.exe \\mydomain.local\fileshare\SetUserFTAconfig.txt

this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:

.pdf, AcroExch.Document.DC, GRP_Adobe_Reader

values have to be separated by a comma. the group is optional.
using a config file, group names with spaces must not use quotes (but using SetUserFTA per command line they have to).

Note: you can supply a domain with the group name like “DOMAIN\Adobe Reader” or even in UPN format. 

a valid config file could look like this:

to create such a config file, you can use my GetUserFTA utility. you can now (since version 1.4) use protocol handlers in the config file (mailto, https, http, etc) – but http and https will be ignored on Windows 1607. use SetDefaultBrowser instead.

you can find the ProgId’s also in the registry or with assoc.exe. the easiest way to get what you need, is to manually associate a software with a filetype and then use GetUserFTA or check this registry key for the values (replace .log with your extension):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\UserChoice

SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.

how can i deploy this?

here are some ideas (if i missed a good one, please let me know):

  • use the logon script feature in a GPO (my favorite way)
  • powershell login script in a GPO
  • a legacy bat/cmd logonscript
  • the Run or RunOnce registry key in HKEY_CURRENT_USER
  • the startup folder in the startmenu
  • any software deployment solution like SCCM
  • a scheduled task
  • Citrix WEM (blog post by James Kindon)
  • VMware UEM (blog post by Ivan de Mes)

its up to you. be creative 😉

IMPORTANT: SetUserFTA must run in the users context – no administrative or system privileges. sometimes the timing can be important aswell – make sure it runs after the profile of the user is loaded.

Example:

Tips:

here are some tips which can help you to find the associations that you need:

  • assoc.exe | find “.txt” – this will list the ProgId for txt files
  • ftype.exe | find “txtfile” – will list the executable associated with the ProgId txtfile
  • reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice /v ProgId – gets the ProgId of the User FTA for your file extension
  • if you encounter a ProgId that looks like “Applications\uedit64.exe“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround.
  • you can override HKLM associations (ProgId’s) in HKCU. for example: HKEY_CLASSES_ROOT\.vsdx can be imported to HKEY_CURRENT_USER\SOFTWARE\Classes\.vdx and then it will be prefered. if you do that, you need to roam it properly (UsrClass.dat).
  • if you still see the OpenWith dialog (especially after adding new applications: “keep using this app“) you can disable this feature with this registry key:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
    “NoNewAppAlert”=dword:00000001
    this registry key also works with HKEY_CURRENT_USER!
    the GPO Do not show the ‘new application installed’ notification (Windows Components, File Explorer) will only work on HKLM – but its also an option to disable this popup

F.A.Q.

where did you get the hash algorithm from?

i reverse engineered it.

does this mean you did reverse engineer windows itself to recover the algorithm?

exactly.

which tools did you use for that?

procmon, x64dbg and IDA Pro

which language have you used to code the app?

v1.0 – v1.1.1: assembly. compiled in Tasm (Borland Turbo Assembler) – i know, very oldschool.
v1.2 and up: gcc and Microsoft Macro Assembler (to create an obj file).
v1.4 is now fully coded in C/gcc

by assembler you mean machine code?

yes.

which platforms does this work on?

i have tested it on windows 10 and server 2016 from 1607 to 1803.

is it 32bit compatible?

yes. x64 and x86 (the binary is 32bit).

can i have the source code?

no.

is unicode supported?

group names can contain unicode characters, but extensions or ProgId’s not.

can it also generate hashes for protocols (http, mailto, etc)?

yes, but http and https wont work on 1607 or lower. please use my SetDefaultBrowser instead.

are there any other limitations?

not at the moment. version 1.2 adds verbose output and some basic error handling.

can i break something with your app?

not really. the only thing that can go wrong are the file type associations, but it will only affect the current user and not the machine.

which privileges are needed to run this app?

just plain user privileges.

thats great work, can i donate somehow?

Download

here you can download SetUserFTA v1.6.

SHA256 of SetUserFTA.zip (D814386ACF27085A87922799E607D8AFC2C5F317091AE0F8F18BCDC36D2B7090)
SHA256 of SetUserFTA.exe (55B48C9E5B96F3CFD2D67543F08053204377C2355F7BAE581F3B30E5281F377E)

Version 1.1 – adds support for group membership checking
Version 1.2 – is completely rewritten in C. it also offers now verbose output on errors
Version 1.3 – new funtionality: multiple file type associations with a configuration file
Version 1.4 – support for protocols like mailto, https, http, etc (only for Windows 1703 and newer)
Version 1.5 – support for Windows 8.x and Server 2012/R2
Version 1.6 – added protocols (except http and https) support on 1607 or lower builds

help to keep this project and this blog alive – consider donating:

if you prefer cryptocurrencies, please contact me for the details.

Thank you!

please report issues to bugs @ mydomain. thanks.

40 Comments

  1. Hello, thanks for your work.
    I cannot execute your exe, getting this error :

    SetUserFTA.exe is not a win32 Valid application.

    Unziping the archive also give an error (Data Error)

    • this is most likely caused by your antivirus software – this version gets a lot of false positives. i am working on a new version that will resolve that issue.

      UPDATE: try with version 1.2. its completely rewritten and should work fine now.

  2. Awesome article and this has helped me greatly. I have been able to associate PDF to Adobe reader but it does not look like I have gotten it done completely. When I double click on a PDF file I get an error saying “There was an error opening this document. this file cannot be found”. I get this 5-6 times and then it goes away. With Adobe reader open I then click file, open and choose the exact same file I just double clicked on and it opens perfectly. What am I missing?

  3. Hello,
    i am trying to do it with logo script by gpo and its not working. when i am running it from command line on the user session is it work.
    do you have any ideal what is the reason?

  4. How many hours did I spend searching for a solution before finding that tool?

    Anyway, thanks a lot, the time saved will be incredible.

    For some reason, however, the tool only works for our computers in English. I guess the “experience” string might change according to the language.

    • the string is hardcoded and cannot change. but maybe the filetype string changes? maybe this is caused by special letters (unicode characters maybe?)

      can you give me an example of something that is not working? which filetype and which progid doesnt work?

        • thats fine then. which language are you using? actually microsoft os is always english, they just use language packs, so this can not be an issue. which operating system and which build are you using?

          • I started with a script, which worked on English builds, then noticed it didn’t work on a French build. When I tried it manually, it didn’t work either.
            However, on a computer that was installed in English, then swithced to French, I don’t have any issue.

  5. I see that you have recently added support for server 2012 R2. Does this include protocols? I am specifically looking for a Mailto protocol and to associate it with Office 2013. No matter how I configure it I cannot get it to go to outlook.
    SetUserFTA.exe mailto, Outlook.URL.mailto.15 or by pointing it to a config file I pull from GetUserFTA I cannot make it point to Outlook.

    • no. protocols only work on Windows 1703 and higher. that is because in older versions you need to specify the path of the protocol app aswell. i did only implement this in SetDefaultBrowser, but never for mailto. i might create a SetMailTo in the future, when i find time for it.

      but if you want Outlook for all your users, you can of course use the AppAssoc.xml with dism and GPO to set your default mail client.

  6. I was trying to use this tool to associate file extensions in Windows 10, but invoking from InstallShield script doesn’t runs. It seems like this tool doesn’t work with SYSTEM user previliges, since InstallShield script runs the process under SYSTEM user account. At the same time, You also have stated that “just plain user privileges” are needed to run. Any remedies for this situation?

  7. Awesome tool! Is there any setting that can be made to prevent Windows from asking “How do you want to open this file?” So that the user has to tick the “alway use this app to open .xxx files” to prevent this from popping ?

    • where do you see that? which windows build and which filetype? actually my tool does exactly that – but if windows finds a new handler for a certain filetype, it might show that popup again.

      • Thank you so much for this amazing tool, after weeks of pulling my hair on how to change the file Assoc. You finally offered us the solution. I am using it with OSD on SCCM. One thing tho as mathias_k mentioned it prompt users with the “Ho do you want to open this file?” menu and has the box at the bottom “Always use this app to open” unticked. I have to mention I have ran it manually using the config.txt file on a running machine and worked fine didn’t get this pop up, but when it was part of the automated deployment the end users getting prompt with the menu I mentioned above. It’s not a big of a deal, just wanted to let you know about this behavior and thanks again for the amazing tool.

          • The windows version is Windows 10 1709, and it only did that with the .pdf extension, but worked fine when I assigned the .html to chrome and I didn’t get the prompt. However I have found a work around the issue and created this .reg file that disabled this “How do you want open this file” menu.

            [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
            “NoNewAppAlert”=dword:00000001

            adding this key with your tool is all I needed to finish off my project. Thanks again :).

  8. Really nice work.
    And I can at least partly understand why you do not want to release the source code. On the other hand, that unfortunately means I cannot make use of it, since I have some responsibilities towards my employer and my users.

    • i dont really understand your concern. windows is a closed-source OS and most of the applications on it as well. i have very well documented my work and its completely clean on virustotal. SetUserFTA has been downloaded multiple-thousand times and it has a very good reputation.

      in my eyes an administrator has a responsibility yeah – bringing the best possible user experience to the users – and that is what my tools do 🙂

  9. WinServer 2016, 1607 not working
    SetUserFTA.exe mailto, Outlook.URL.mailto.15
    error: protocols are not supported on Windows 1607 and Windows 8/Server 2012

  10. I have a strange behavior with this tool.
    First of all i tried to set filetype .pdfxml / .acrobatsecruitysettings and that does not work. It will be ignored. Maybe filetype to long?

    The second one is. I used an Configfile to get .pdf registered. It will be run as a task on logon of the user. Everything is fine. Reader is associated and opens fine. Then a gpupdate runs after some time and .pdf is reverted to Microsoft Edge.
    Do you have a clue why?
    We do not set the filetype elsewhere. This is on 1709 (16299.492).

    • the size of the extensions is max 255 chars, therefore it cant be too long. can you check with GetUserFTA if the entry is written? or manually in the registry under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.extension -> here should be a UserChoice key and the hash should change every time when you run SetUserFTA.

      when gpupdate changes a extension, there must be something in a policy. are you sure you dont have the “Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file” configured in a gpo?

  11. Great tool, Christoph. You really did a great job! I knew about the hash issue as I monitor registry changes before I try to reproduce them using scripts or batch-files. But I never thought that I would find a tool that can compute this hash.

    A few remarks and questions: (Windows 10 Pro en-us 1803)

    1) Regarding the config.txt file, I had to save it in ANSI to be able to use it. Otherwise I am getting an error message about a comma.

    2) I use many portable apps (in folders on my HDD) – also video/music players.
    So, I used SetUserFTA with a config.txt to associate over 100 extensions with ‘Applications\VLCportable.exe’. After that – as a test – I did the same with ‘Applications\SMPlayerPortable.exe’. And then again with ‘Applications\VLCportable.exe’.

    But the ProgID ‘Applications\VLCportable.exe’ had been deleted!? How come?
    I had to associate one video extension with VLCportable manually once again and then it worked again.

    3) In your ‘tips’ it reads:
    QUOTE
    if you encounter a ProgId that looks like “Applications\uedit64.exe“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” as well.
    UNQUOTE
    This would apply to ‘Applications\VLCportable’, too. Can you please explain what exactly you mean here. For me there was no need to write anything else to the config.txt. but this
    .3ga, Applications\VLCportable.exe
    .669, Applications\VLCportable.exe
    .a52, Applications\VLCportable.exe

    4) Can you tell me the minimum requirements needed, to add e.g. a video player to the list to choose from in ‘Windows Default Apps’ settings? In the selection window for videos you would normally find only these:
    – Movies & TV
    – Photos
    – Windows Media Player
    – Look for an app in the Store

    However, after I associated over 100 extension with VLCportable, I could find VLCportable there, too. How come?

    Hope, these were not too many questions 🙂
    Regards
    Stefan

    • sorry for the late response, i was quite busy – that are a lot of questions… let me try to answer them all 🙂

      – you are right about ansi. i never tried a different format and never had a request for it. unicode strings are not supported atm, but maybe i can address that in a future update
      – i dont know why Applications\VLCportable.exe was deleted. SetUserFTA does only create the UserChoice keys and nothing else. all other registry keys must exist or be created before to have a proper association
      – my note about HKEY_CURRENT_USER\SOFTWARE\Classes means exactly that. you must pre-create the key if you automate something with SetUserFTA. it has nothing to do with the config file from SetUserFTA at all
      – i never analyzed what exactly is needed to show a program in the openwith dialog, because i dont even want to use it at all. users should not see that dialog at all in the best case and if all registry keys for a file associations match, you can avoid exactly that with SetUserFTA – but ill have a look. that is an interesting question 🙂

      • Thought I would receive an email notification about the approval of my comment and/or any answers or comments. That’s why it took me so long to realize that you already answered…

        Now, thanks a lot for taking the time to answer my questions 🙂

        Regarding the ANSI issue, this isn’t really a problem, but the user needs to know that it has to be ANSI. The error message doesn’t give you a clue what’s wrong. So, it might make sense to add a hint to the error message text.

        But as far as I am concerned, now I know it 🙂

        Thanks again and best regards,
        Stefan

      • Email Notification:

        Yes, now notification works 🙂
        Thanks!

        However, you cannot send a reply to the sender mail address. That’s why I’m answering here.

6 Trackbacks / Pingbacks

  1. SetUserFTA - Set per-user file type associations in Windows 10
  2. Dateiendungen automatisiert unter Windows 10 mit den gewünschten Applikationen verknüpfen ← Gunnar Haslinger
  3. Group Policy Objects – VDA User Settings – Carl Stalhood
  4. Workspace Environment Management 4.5 – Carl Stalhood
  5. How to programmatically configure file associations in Windows 10 and Server 2016 without DISM - Jose Espitia
  6. Edge hijacking .pdf associations – My Site

Leave a Reply