hey, its me again – bringing back a functionality that was removed from microsoft since Windows 2012 (or Windows 8), yay. this is not the first time that im coding a tool to recreate a missing feature that was working in older Windows versions (check my blog for volume.exe).
UPDATE 02.10.2018: Version 1.7.1 fixed false positive detections for some AV (incl. Defender)
UPDATE 23.08.2018: Version 1.7 adds get and del parameters, comment char # for config files, EULA
UPDATE 17.06.2018: Version 1.6 adds support for protocols (except http and https) on build 1607 and lower
UPDATE 14.12.2017: Version 1.5 adds support for Windows 8.x and Server 2012/R2
UPDATE 10.12.2017: Version 1.4 adds support for protocols like mailto, https, etc. (only for 1703 and up)
UPDATE 26.11.2017: Version 1.3 can now set multiple file type associations based on a config file.
UPDATE 04.11.2017: Version 1.2 completely rewritten in C to avoid AV false positives.
UPDATE 29.10.2017: Version 1.1.1 includes small changes due AV false positive detections.
UPDATE 28.10.2017: Version 1.1 can now check for Group Memberships.
SetUserFTA sets User File Type Associations per command line or script on Windows 8/10 and Server 2012/2016/2019.
ATTENTION: Windows 1803 and 1809 have an issue with file type associations after the october update. Microsoft is working on a resolution and estimates a solution will be available in late November 2018. UPDATE 06.12.2018: Microsoft has released a fix for 1803 (KB4467682) and (KB4469342) for 1809.
recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!
i will just quote microsoft on this issue (or feature?):
In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.
Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:
you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.
the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.
but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?
a filetype is protected by a hash in the user registry – for example:
if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.
SetUserFTA generates this secret hash for a supplied extension.
how to use SetUserFTA:
i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:
SetUserFTA.exe extension progid (optional:Groupname)
and since v1.7
will show all protected filetypes, just like GetUserFTA
SetUserFTA.exe del extension
will delete an association from the user registry
SetUserFTA.exe .pdf AcroExch.Document.DC
this will associate .pdf file with Acrobat Reader for the current user.
SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”
this will associate .pdf files with Acrobat Reader only if the current user is member of the “Adobe Acrobat Users” group. if the group contains spaces, you must use quotes.
this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:
.pdf, AcroExch.Document.DC, GRP_Adobe_Reader
values have to be separated by a comma. the group is optional.
using a config file, group names with spaces must not use quotes (but using SetUserFTA per command line they have to).
Note: you can supply a domain with the group name like “DOMAIN\Adobe Reader” or even in UPN format.
a valid config file could look like this (since v1.7 you can add comments by starting a line with #):
to create such a config file, you can run “SetUserFTA get >config.txt“. since version 1.4 SetUserFTA also supports protocol handlers in the config file (mailto, https, http, etc) – but http and https will be ignored on Windows 1607. use SetDefaultBrowser instead.
you can find the ProgId’s also in the registry or with assoc.exe. the easiest way to get what you need, is to manually associate a software with a filetype and then use “SetUserFTA get” or check this registry key for the values (replace .log with your extension):
SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.
how can i deploy this?
here are some ideas (if i missed a good one, please let me know):
- use the logon script feature in a GPO (my favorite way)
- powershell login script in a GPO
- a legacy bat/cmd logonscript
- the Run or RunOnce registry key in HKEY_CURRENT_USER
- the startup folder in the startmenu
- any software deployment solution like SCCM
- a scheduled task
- GPO: User Configuration\Administrative Templates\System\Run These Programs at User Logon
- Citrix WEM (blog post by James Kindon)
- VMware UEM (blog post by Ivan de Mes)
its up to you. be creative 😉
IMPORTANT: SetUserFTA must run in the users context – no administrative or system privileges. sometimes the timing can be important aswell – make sure it runs after the profile of the user is loaded.
here are some tips which can help you to find the associations that you need:
- assoc.exe | find “.txt” – this will list the ProgId for txt files
- ftype.exe | find “txtfile” – will list the executable associated with the ProgId txtfile
- reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice /v ProgId – gets the ProgId of the User FTA for your file extension
- if you encounter a ProgId that looks like “Applications\uedit64.exe“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround.
- you can override HKLM associations (ProgId’s) in HKCU. for example: HKEY_CLASSES_ROOT\.vsdx can be imported to HKEY_CURRENT_USER\SOFTWARE\Classes\.vdx and then it will be prefered. if you do that, you need to roam it properly (UsrClass.dat).
- if you still see the OpenWith dialog (especially after adding new applications: “keep using this app“) you can disable this feature with this registry key:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
this registry key also works with HKEY_CURRENT_USER!
the GPO Do not show the ‘new application installed’ notification (Windows Components, File Explorer) will only work on HKLM – but its also an option to disable this popup
where did you get the hash algorithm from?
i reverse engineered it.
does this mean you did reverse engineer windows itself to recover the algorithm?
which tools did you use for that?
which language have you used to code the app?
v1.0 – v1.1.1: assembly. compiled in Tasm (Borland Turbo Assembler) – i know, very oldschool.
v1.2 and up: gcc and Microsoft Macro Assembler (to create an obj file).
v1.4 is now fully coded in C/gcc
v1.7 is compiled in tcc
v1.7.1 is using gcc again, because tcc caused to many antivirus false positives
by assembler you mean machine code?
which platforms does this work on?
i have tested it on windows 8/10 and server 2012/2016/2019 up to build 1809.
is it 32bit compatible?
yes. x64 and x86 (the binary is 32bit).
can i have the source code?
is unicode supported?
group names can contain unicode characters, but extensions or ProgId’s not. the “get” parameter supports unicode already.
can it also generate hashes for protocols (http, mailto, etc)?
yes, but http and https wont work on 1607 or lower. please use my SetDefaultBrowser instead.
are there any other limitations?
not at the moment. version 1.2 adds verbose output and some basic error handling.
can i break something with your app?
not really. the only thing that can go wrong are the file type associations, but it will only affect the current user and not the machine. the del parameter is destructive, but if you do something wrong, it can be fixed by using SetUserFTA again with proper parameters.
which privileges are needed to run this app?
just plain user privileges.
thats great work, can i donate somehow?
yeah – see below the paypal button.
here you can download SetUserFTA v1.7.1. SHA256 hashes below.
Version 1.1 – adds support for group membership checking
Version 1.2 – is completely rewritten in C. it also offers now verbose output on errors
Version 1.3 – new funtionality: multiple file type associations with a configuration file
Version 1.4 – support for protocols like mailto, https, http, etc (only for Windows 1703 and newer)
Version 1.5 – support for Windows 8.x and Server 2012/R2
Version 1.6 – added protocols (except http and https) support on 1607 or lower builds
Version 1.7 – get and del parameters added, # char for comments in config files, EULA
Version 1.7.1 – fixes false positive antivirus detections
please report issues to bugs @ mydomain. thanks.