hey, its me again – bringing back a functionality that was removed from microsoft since Windows 2012 (or Windows 8), yay. this is not the first time that im coding a tool to recreate a missing feature that was working in older Windows versions (check my blog for volume.exe).
UPDATE 23.08.2018: Version 1.7 adds get and del parameters, comment char # for config files, EULA
UPDATE 17.06.2018: Version 1.6 adds support for protocols (except http and https) on build 1607 and lower
UPDATE 14.12.2017: Version 1.5 adds support for Windows 8.x and Server 2012/R2
UPDATE 10.12.2017: Version 1.4 adds support for protocols like mailto, https, etc. (only for 1703 and up)
UPDATE 26.11.2017: Version 1.3 can now set multiple file type associations based on a config file.
UPDATE 04.11.2017: Version 1.2 completely rewritten in C to avoid AV false positives.
UPDATE 29.10.2017: Version 1.1.1 includes small changes due AV false positive detections.
UPDATE 28.10.2017: Version 1.1 can now check for Group Memberships.
SetUserFTA sets User File Type Associations per command line or script on Windows 8/10 and Server 2012/2016.
recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!
i will just quote microsoft on this issue (or feature?):
In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.
Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:
you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.
the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.
but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?
a filetype is protected by a hash in the user registry – for example:
if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.
SetUserFTA generates this secret hash for a supplied extension.
details about the hash:
i don’t want to disclose too much about the hash, because Microsoft probably will not like that. but i can tell you, that anyone with reverse engineering knowhow can discover it rather quickly. it took me about a day to find it and to get an idea about how it works. to code the SetUserFTA.exe it took me more time – but that is because of the coding language i’ve used.
however – i will show you some pseudocode about the hash-generation. since it is about filetypes, it obviously includes details about the filetype. here is a structure that illustrates the string that is being hashed:
extension = “.txt”; the file extension
sid = “S-1-5-21-463486358-3398762107-1964875780-1001” ; the SID of the current user
progid = “txtfile”; the ProgId of the desired association
regdate = “01d3442a29887400”; timestamp of the UserChoice registry key
experience = “a microsoft secret string”; a static string (this is a dummy example, not the real string)
this includes a funny detail – regdate is the timestamp of the UserChoice key in the registry. i didn’t even know that registry keys have timestamps and as soon you modify the key, it will change the timestamp and the hash is not correct anymore.
beside of that, a user has the deny SetValue ACL set and as soon you give yourself full access, the timestamp will change too. that part was quite creative, but the rest of the hash generation was pretty straight forward and surprisingly easy.
consider these functions:
toLower() – converts uppercase characters to lowercase
MD5() – the normal MD5 hashing function (huh? why? its not even secure anymore)
MicrosoftHash() – the secret Microsoft hash reduction code (yes, you have read right – hash reduction)
Base64() – plain simple base64 encoding
to generate a valid hash, i had to do following:
- get the timestamp of the UserChoice registry key
- fill a buffer with the correct values (extension, SID, ProgId, timestamp, static string)
- hash and encode this buffer like this:
Base64(MicrosoftHash(MD5(toLower(extension, sid, progid, regdate, experience))));
and that was it. very secure and top secret. </sarcasm> hash reduction? really? the MicrosoftHash() code takes 128bit as input and returns a 64bit result. what the …?
how to use SetUserFTA:
i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:
SetUserFTA.exe extension progid (optional:Groupname)
and since v1.7
will show all protected filetypes, just like GetUserFTA
SetUserFTA.exe del extension
will delete an association from the user registry
SetUserFTA.exe .pdf AcroExch.Document.DC
this will associate .pdf file with Acrobat Reader for the current user.
SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”
this will associate .pdf files with Acrobat Reader only if the current user is member of the “Adobe Acrobat Users” group. if the group contains spaces, you must use quotes.
this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:
.pdf, AcroExch.Document.DC, GRP_Adobe_Reader
values have to be separated by a comma. the group is optional.
using a config file, group names with spaces must not use quotes (but using SetUserFTA per command line they have to).
Note: you can supply a domain with the group name like “DOMAIN\Adobe Reader” or even in UPN format.
a valid config file could look like this (since v1.7 you can add comments by starting a line with #):
to create such a config file, you can run “SetUserFTA get >config.txt“. since version 1.4 SetUserFTA also supports protocol handlers in the config file (mailto, https, http, etc) – but http and https will be ignored on Windows 1607. use SetDefaultBrowser instead.
you can find the ProgId’s also in the registry or with assoc.exe. the easiest way to get what you need, is to manually associate a software with a filetype and then use “SetUserFTA get” or check this registry key for the values (replace .log with your extension):
SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.
how can i deploy this?
here are some ideas (if i missed a good one, please let me know):
- use the logon script feature in a GPO (my favorite way)
- powershell login script in a GPO
- a legacy bat/cmd logonscript
- the Run or RunOnce registry key in HKEY_CURRENT_USER
- the startup folder in the startmenu
- any software deployment solution like SCCM
- a scheduled task
- GPO: User Configuration\Administrative Templates\System\Run These Programs at User Logon
- Citrix WEM (blog post by James Kindon)
- VMware UEM (blog post by Ivan de Mes)
its up to you. be creative 😉
IMPORTANT: SetUserFTA must run in the users context – no administrative or system privileges. sometimes the timing can be important aswell – make sure it runs after the profile of the user is loaded.
here are some tips which can help you to find the associations that you need:
- assoc.exe | find “.txt” – this will list the ProgId for txt files
- ftype.exe | find “txtfile” – will list the executable associated with the ProgId txtfile
- reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice /v ProgId – gets the ProgId of the User FTA for your file extension
- if you encounter a ProgId that looks like “Applications\uedit64.exe“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround.
- you can override HKLM associations (ProgId’s) in HKCU. for example: HKEY_CLASSES_ROOT\.vsdx can be imported to HKEY_CURRENT_USER\SOFTWARE\Classes\.vdx and then it will be prefered. if you do that, you need to roam it properly (UsrClass.dat).
- if you still see the OpenWith dialog (especially after adding new applications: “keep using this app“) you can disable this feature with this registry key:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
this registry key also works with HKEY_CURRENT_USER!
the GPO Do not show the ‘new application installed’ notification (Windows Components, File Explorer) will only work on HKLM – but its also an option to disable this popup
where did you get the hash algorithm from?
i reverse engineered it.
does this mean you did reverse engineer windows itself to recover the algorithm?
which tools did you use for that?
which language have you used to code the app?
v1.0 – v1.1.1: assembly. compiled in Tasm (Borland Turbo Assembler) – i know, very oldschool.
v1.2 and up: gcc and Microsoft Macro Assembler (to create an obj file).
v1.4 is now fully coded in C/gcc
v1.7 is compiled in tcc
by assembler you mean machine code?
which platforms does this work on?
i have tested it on windows 10 and server 2016 from 1607 to 1803.
is it 32bit compatible?
yes. x64 and x86 (the binary is 32bit).
can i have the source code?
is unicode supported?
group names can contain unicode characters, but extensions or ProgId’s not. the “get” parameter supports unicode already.
can it also generate hashes for protocols (http, mailto, etc)?
yes, but http and https wont work on 1607 or lower. please use my SetDefaultBrowser instead.
are there any other limitations?
not at the moment. version 1.2 adds verbose output and some basic error handling.
can i break something with your app?
not really. the only thing that can go wrong are the file type associations, but it will only affect the current user and not the machine. the del parameter is destructive, but if you do something wrong, it can be fixed by using SetUserFTA again with proper parameters.
which privileges are needed to run this app?
just plain user privileges.
thats great work, can i donate somehow?
yeah – see below the paypal button.
here you can download SetUserFTA v1.7. SHA256 hashes below.
Version 1.1 – adds support for group membership checking
Version 1.2 – is completely rewritten in C. it also offers now verbose output on errors
Version 1.3 – new funtionality: multiple file type associations with a configuration file
Version 1.4 – support for protocols like mailto, https, http, etc (only for Windows 1703 and newer)
Version 1.5 – support for Windows 8.x and Server 2012/R2
Version 1.6 – added protocols (except http and https) support on 1607 or lower builds
Version 1.7 – get and del parameters added, # char for comments in config files, EULA
please report issues to bugs @ mydomain. thanks.