{"id":346,"date":"2017-10-25T20:11:19","date_gmt":"2017-10-25T19:11:19","guid":{"rendered":"http:\/\/kolbi.cz\/blog\/?p=346"},"modified":"2025-01-02T15:01:14","modified_gmt":"2025-01-02T14:01:14","slug":"setuserfta-userchoice-hash-defeated-set-file-type-associations-per-user","status":"publish","type":"post","link":"https:\/\/kolbi.cz\/blog\/2017\/10\/25\/setuserfta-userchoice-hash-defeated-set-file-type-associations-per-user\/","title":{"rendered":"SetUserFTA: UserChoice Hash defeated – Set File Type Associations per User or Group on Windows 8\/10\/11 and 2012\/2016\/2019\/2022"},"content":{"rendered":"

SetUserFTA has now its own domain: https:\/\/setuserfta.com<\/a> and this page will only remain for historical reasons.<\/span><\/h1>\n

SetUserFTA sets User File Type Associations per command line or script on Windows 8\/10\/11 and Server 2012\/2016\/2019\/2022.<\/p>\n

ATTENTION: if SetUserFTA does not work for http, https and .pdf, please read my blogpost about the<\/strong><\/span> UserChoice Protection Driver<\/a><\/p>\n

the story:<\/h1>\n

recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!<\/p>\n

i will just quote microsoft on this issue (or feature?):<\/p>\n

In Pre-Win 8, apps could set the default handler for a file type\/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app)\u00a0 that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.<\/em><\/p><\/blockquote>\n

Microsoft offers a solution<\/a> with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server\/Client with different file types. for example:<\/p>\n

you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.<\/p>\n

the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.<\/p>\n

but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?<\/p>\n

<TL><DR><\/p>\n

a filetype is protected by a hash in the user registry – for example:<\/p>\n

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\UserChoice\\Hash<\/p>\n

if the secret hash doesn’t match, the file type association is not being used and the system default kicks in.<\/p>\n

SetUserFTA generates this secret hash for a supplied extension.<\/strong><\/p>\n

<\/TL><\/DR><\/p><\/blockquote>\n

how to use SetUserFTA:<\/h1>\n

i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:<\/p>\n

SetUserFTA.exe extension progid (optional:Groupname)<\/strong><\/p>\n

or<\/p>\n

SetUserFTA.exe configfile<\/strong><\/p>\n

and since v1.7<\/p>\n

SetUserFTA.exe get<\/strong><\/p>\n

will show all protected filetypes, just like GetUserFTA<\/a><\/p>\n

SetUserFTA.exe del extension<\/strong><\/p>\n

will delete an association from the user registry<\/p><\/blockquote>\n

Example:<\/p>\n

SetUserFTA.exe .pdf AcroExch.Document.DC<\/strong><\/p>\n

this will associate .pdf file with Acrobat Reader for the current user.<\/p>\n

SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”<\/strong><\/p>\n

this will associate .pdf files with Acrobat Reader\u00a0only if the current user is member of the “Adobe Acrobat Users” group.\u00a0if the group contains spaces, you must use quotes<\/strong>.<\/em><\/p>\n

SetUserFTA.exe \\\\mydomain.local\\fileshare\\SetUserFTAconfig.txt<\/strong><\/p>\n

this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:<\/p>\n

.pdf, AcroExch.Document.DC, GRP_Adobe_Reader<\/pre>\n
values have to be separated by a comma. the group is optional.
\nusing a config file, group names with spaces\u00a0must not <\/strong>use quotes (but using SetUserFTA per command line they have to)<\/em>.<\/p>\n
Note:<\/strong> you can supply a domain with the group name like “DOMAIN\\Adobe Reader” or even in UPN format.\u00a0<\/em><\/p>\n
a valid config file could look like this (since v1.7 you can add comments by starting a line with #<\/strong>):<\/p>\n
\"\"<\/a><\/p>\n
to create such a config file, you can run “SetUserFTA get >config.txt<\/strong>“. since version 1.4 SetUserFTA also supports protocol handlers in the config file (mailto, https, http, etc<\/strong>) – but http<\/em> and https<\/em> will be ignored on Windows 1607. use SetDefaultBrowser<\/strong> <\/a>instead.<\/p>\n
you can find the ProgId’s also in the registry or with assoc.exe<\/strong>. the easiest way to get what you need, is to manually associate a software with a filetype and then use “SetUserFTA get” or check this registry key for the values (replace .log with your extension):<\/p>\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.log<\/strong><\/span>\\UserChoice<\/p><\/blockquote>\n
SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.<\/p>\n
how can i deploy this?<\/h1>\n
here are some ideas (if i missed a good one, please let me know):<\/p>\n