SetUserFTA: UserChoice Hash defeated – Set File Type Associations per User or Group on Windows 8/10/11 and 2012/2016/2019/2022

October 25, 2017 admin Citrix, Security, Windows, XenApp 320

SetUserFTA has now its own domain: https://setuserfta.com and this page will only remain for historical reasons.

SetUserFTA sets User File Type Associations per command line or script on Windows 8/10/11 and Server 2012/2016/2019/2022.

ATTENTION: if SetUserFTA does not work for http, https and .pdf, please read my blogpost about the UserChoice Protection Driver

the story:

recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!

i will just quote microsoft on this issue (or feature?):

In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.

Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:

you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.

the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.

but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?

<TL><DR>

a filetype is protected by a hash in the user registry – for example:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice\Hash

if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.

SetUserFTA generates this secret hash for a supplied extension.

</TL></DR>

how to use SetUserFTA:

i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:

SetUserFTA.exe extension progid (optional:Groupname)

or

SetUserFTA.exe configfile

and since v1.7

SetUserFTA.exe get

will show all protected filetypes, just like GetUserFTA

SetUserFTA.exe del extension

will delete an association from the user registry

Example:

SetUserFTA.exe .pdf AcroExch.Document.DC

this will associate .pdf file with Acrobat R