hey, its me again – bringing back a functionality that was removed from microsoft since Windows 2012 (or Windows 8), yay. this is not the first time that im coding a tool to recreate a missing feature that was working in older Windows versions (check my blog for volume.exe).
UPDATE 14.12.2017: Version 1.5 adds support for Windows 8.x and Server 2012/R2
UPDATE 10.12.2017: Version 1.4 adds support for protocols like mailto, https, etc. (only for 1703 and up)
UPDATE 26.11.2017: Version 1.3 can now set multiple file type associations based on a config file.
UPDATE 04.11.2017: Version 1.2 completely rewritten in C to avoid AV false positives.
UPDATE 29.10.2017: Version 1.1.1 includes small changes due AV false positive detections.
UPDATE 28.10.2017: Version 1.1 can now check for Group Memberships.
SetUserFTA sets User File Type Associations per command line or script on Windows 10 and Server 2016.
recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!
i will just quote microsoft on this issue (or feature?):
In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.
Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:
you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.
the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.
but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?
a filetype is protected by a hash in the user registry – for example:
if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.
SetUserFTA generates this secret hash for a supplied extension.
details about the hash:
i don’t want to disclose too much about the hash, because Microsoft probably will not like that. but i can tell you, that anyone with reverse engineering knowhow can discover it rather quickly. it took me about a day to find it and to get an idea about how it works. to code the SetUserFTA.exe it took me more time – but that is because of the coding language i’ve used.
however – i will show you some pseudocode about the hash-generation. since it is about filetypes, it obviously includes details about the filetype. here is a structure that illustrates the string that is being hashed:
extension = “.txt”; the file extension
sid = “S-1-5-21-463486358-3398762107-1964875780-1001” ; the SID of the current user
progid = “txtfile”; the ProgId of the desired association
regdate = “01d3442a29887400”; timestamp of the UserChoice registry key
experience = “a microsoft secret string”; a static string (this is a dummy example, not the real string)
this includes a funny detail – str_regdate is the timestamp of the UserChoice key in the registry. i didn’t even know that registry keys have timestamps and as soon you modify the key, it will change the timestamp and the hash is not correct anymore.
beside of that, a user has the deny SetValue ACL set and as soon you give yourself full access, the timestamp will change too. that part was quite creative, but the rest of the hash generation was pretty straight forward and surprisingly easy.
consider these functions:
toLower() – converts uppercase characters to lowercase
MD5() – the normal MD5 hashing function (huh? why? its not even secure anymore)
MicrosoftHash() – the secret Microsoft hash reduction code (yes, you have read right – hash reduction)
Base64() – plain simple base64 encoding
to generate a valid hash, i had to do following:
- get the timestamp of the UserChoice registry key
- fill a buffer with the correct values (extension, SID, ProgId, timestamp, static string)
- hash and encode this buffer like this:
Base64(MicrosoftHash(MD5(toLower(extension, sid, progid, regdate, experience))));
and that was it. very secure and top secret. </sarcasm> hash reduction? really? the MicrosoftHash() code takes 128bit as input and returns a 64bit result. what the …?
how to use SetUserFTA:
i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:
SetUserFTA.exe extension progid (optional:Groupname)
SetUserFTA.exe .pdf AcroExch.Document.DC
this will associate .log file with Notepad for the current user.
SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”
this will associate .log files with Notepad only if the current user is member of the “Adobe Acrobat Users” group. if the group contains spaces, you must use quotes.
this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:
.pdf, AcroExch.Document.DC, GRP_Adobe_Reader
values have to be separated by a comma. the group is optional.
using a config file, group names with spaces must not use quotes (but using SetUserFTA per command line they have to).
Note: you can supply a domain with the group name like “DOMAIN\Adobe Reader” or even in UPN format.
a valid config file could look like this:
to create such a config file, you can use my GetUserFTA utility. you can now (since version 1.4) use protocol handlers in the config file (mailto, https, http, etc) – but they will be ignored on Windows 1607 (use SetDefaultBrowser instead – maybe ill do a separate utility for mailto).
you can find the ProgId’s also in the registry or with assoc.exe. the easiest way to get what you need, is to manually associate a software with a filetype and then use GetUserFTA or check this registry key for the values (replace .log with your extension):
SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.
how can i deploy this?
here are some ideas (if i missed a good one, please let me know):
- use the logon script feature in a GPO (my favorite way)
- powershell login script in a GPO
- a legacy bat/cmd logonscript
- the Run or RunOnce registry key in HKEY_CURRENT_USER
- the startup folder in the startmenu
- any software deployment solution like SCCM
- Citrix WEM (blog post by James Kindon)
- VMware UEM (blog post by Ivan de Mes)
its up to you. be creative 😉
here are some tips which can help you to find the associations that you need:
- assoc.exe | find “.txt” – this will list the ProgId for txt files
- ftype.exe | find “txtfile” – will list the executable associated with the ProgId txtfile
- reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice /v ProgId – gets the ProgId for the User FTA for your file extension
- if you encounter a ProgId that looks like “Applications\uedit64.exe“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround.
- you can override HKLM associations (ProgId’s) in HKCU. for example: HKEY_CLASSES_ROOT\.vsdx can be imported to HKEY_CURRENT_USER\SOFTWARE\Classes\.vdx and then it will be prefered. if you do that, you need to roam it properly (UsrClass.dat).
- if you still see the OpenWith dialog (especially after adding new applications) you can disable the notification feature with this registry key:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
or with the GPO Do not show the ‘new application installed’ notification”
where did you get the hash algorithm from?
i reverse engineered it.
does this mean you did reverse engineer windows itself to recover the algorithm?
which tools did you use for that?
which language have you used to code the app?
v1.0 – v1.1.1: assembly. compiled in Tasm (Borland Turbo Assembler) – i know, very oldschool.
v1.2 and up: gcc and Microsoft Macro Assembler (to create an obj file).
v1.4 is now fully coded in gcc
by assembler you mean machine code?
which platforms does this work on?
i have tested it on windows 10 and server 2016 from 1607 to 1709.
is it 32bit compatible?
yes. x64 and x86 (the binary is 32bit).
can i have the source code?
is unicode supported?
group names can contain unicode characters, but extensions or ProgId’s not.
can it also generate hashes for protocols (http, mailto, etc)?
yes, but only on Windows 1703 and up . please use my SetDefaultBrowser instead on 1607.
are there any other limitations?
not at the moment. version 1.2 adds verbose output and some basic error handling.
can i break something with your app?
not really. the only thing that can go wrong are the file type associations, but it will only affect the current user and not the machine.
which privileges are needed to run this app?
just plain user privileges.
thats great work, can i donate somehow – beside of the browser mining?
here you can download SetUserFTA v1.5.
SHA256 of SetUserFTA.zip (3E2199CF64AD6060C90FEFCEFF6BF76DA2EAF0D415B15F524A68B12A08E2A831) SHA256 of SetUserFTA.exe (6B7DBA337D2490083391623C1E2EAAFEC9C3DCBDE1DCDB2ABFD0E1F0C2BF31B8)
Version 1.1 – adds support for group membership checking
Version 1.2 – is completely rewritten in C. it also offers now verbose output on errors
Version 1.3 – new funtionality: multiple file type associations with a configuration file
Version 1.4 – support for protocols like mailto, https, http, etc (only for Windows 1703 and newer)
Version 1.5 – support for Windows 8.x and Server 2012/R2
please report issues to bugs @ mydomain. thanks.