How to stop an ActiveX control from running in Internet Explorer

This article describes how to stop an ActiveX control from running in Microsoft Internet Explorer and in Windows Internet Explorer. You can do this by modifying the data value of the Compatibility Flags DWORD value for the Class identifier (CLSID) of the ActiveX control.

Note For Microsoft Windows XP-based and Windows Server 2003-based computers, administrators can use Software restriction policies to prevent an ActiveX control from running in any programs on computers in an Active Directory domain environment. For more information about software restriction policies, visit the following Microsoft Web site:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Warning Microsoft does not recommend unkilling (undoing the kill action on) an ActiveX control. If you do so, you may create security vulnerabilities. The kill bit is typically set for a reason that may be critical, and because of this, extreme care must be used when you unkill an ActiveX control. Also, because the following procedure is highly technical, do not continue unless you a very comfortable with the procedure and you it is a good idea to read the whole procedure before you start.

The CLSID for an ActiveX control is a GUID for that control. You can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.

The kill bit is a specific value for the Compatibility Flags DWORD value for the ActiveX control in the registry. This is different from revoking the "safe for scripting" option in an ActiveX control. When the "safe for scripting" option is revoked, Internet Explorer still calls for the control and then prompts you with a warning message that the ActiveX control may be unsafe. Depending on the choice you make, the control may be run. However, after the kill bit is set for an ActiveX control, that control is not called by Internet Explorer at all unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer. To set the kill bit, follow these steps:

1. Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer. If the control is installed, you may be able to determine its CLSID if you know its friendly name. To do this, examine the Default string value for the ProgID key for each of the CLSID keys in
   HKEY_CLASSES_ROOT\CLSID
   . You may have to remove as many ActiveX controls as possible, except for the one that you want to disable, to make it easier to identify the appropriate CLSID. For more information about how to remove ActiveX controls, click the following article number to view the article in the Microsoft Knowledge Base:
   154850  (http://support.microsoft.com/kb/154850/ ) How to remove an ActiveX control in Windows
2. Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

   CLSID of the ActiveX control
   where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.
   
   Note Typically, you will have to manually create this registry key.
3. Change the value of the Compatibility Flags DWORD value to 0x00000400.

If a killbit is set for an ActiveX control and a new version of an ActiveX control is released with a different CLSID, you can enable Web sites that use the old CLSID to continue to work as intended. You do this by adding the new value at the same level as the Compatibility Flags value in the registry. This value should be a REG_SZ string that is named "AlternateCLSID." The AlternateCLSID value will appear enclosed in braces. For example, it will resemble the following: For example: Internet Explorer will interpret this value and create an instance of the ActiveX control that is referenced in the AlternateCLSID value instead of the one that has received a killbit.

Note For the AlternateCLSID value to be effective, the killbit must be set on the initial CLSID.

ActiveX control developers can use the TreatAs or AlternateCLSID registry values with the "kill bit" to have Internet Explorer check to see if an updated ActiveX control has been provided for use instead of a disabled ActiveX control. For information about how to use the TreatAs value, visit the following Microsoft Web site: To set the AlternateCLSID value, follow these steps:

1. Use Registry Editor to locate the disabled ActiveX object CLSID in the following registry key:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

   CLSID of the ActiveX control
   Where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.
   
   You can see the value of the Compatibility Flags is set to DWORD 00000400.
2. Add an AlternateCLSID string value to the CLSID key.
3. Set the data of the AlternateCLSID string value to {CLSID of the alternate ActiveX control}, where {CLSID of the ActiveX Control} is the class identifier of the updated ActiveX control.

The AlternateCLSID value instructs Internet Explorer to redirect to the CLSID for the updated ActiveX control. You can chain redirects up to ten levels deep.

The AlternateCLSID value is supported on the following versions of Internet Explorer.

• Internet Explorer 5.01 Service Pack 2 or later for Windows 2000 with MS03-004 or later
• Internet Explorer 5.5 Service Pack 2 with MS02-068 or later
• Internet Explorer 6 Service Pack 1
• Internet Explorer 6 for Windows XP with MS02-068 or later
• Internet Explorer 6 for Windows Server 2003
• Windows Internet Explorer 7 for Windows Server 2003 IA64
• Windows Internet Explorer 7 for Windows XP
• Windows Internet Explorer 7.0 for Windows Server 2003
• Windows Internet Explorer 7.0 in Windows Vista

Note Versions of Internet Explorer that are not listed in this article are either in the extended phase of the product life cycle or are no longer supported. Although you can set the kill bit on these versions of Windows and of Internet Explorer, Microsoft recommends that you also upgrade to a supported version of Internet Explorer and apply all appropriate updates. For more information about how to determine the version of Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base: For more information about the kill bit for ActiveX controls, see the following Microsoft Security Vulnerability Research & Defense Blog posts:

Application vendors that have security issues with an ActiveX control that they own may request that Microsoft issue a kill bit to prevent their ActiveX control from running in Internet Explorer. Approved requests will be processed in a future Update Rollup for ActiveX Kill Bits Security Advisory. Microsoft will issue a kill bit only for ActiveX controls that are found to have a vulnerability, and only if the owning independent software vendor (ISV) has already produced an updated version of their ActiveX control. ISVs that have vulnerable ActiveX controls can e-mail requests to msvr@microsoft.com together with answers to the following questions:

• What is the public URL for the updated ActiveX control?
• What is the CLSID of the requested ActiveX control to receive a kill bit within Internet Explorer?
• Has this updated ActiveX control received a new CLSID that sets a kill bit to the vulnerable CLSID in the process? The process to do this is documented in this Knowledge Base article.
• Is the requested ActiveX control marked as safe-for-scripting or safe-for-initialization?
• Are there older versions of the requested ActiveX control? If the answer is "yes," what are their CLSIDs?
• What is the primary delivery mechanism to consumers for the requested ActiveX control?
• What is the public URL for the ISV Advisory that discloses the vulnerability?