Help and Support
 

powered byLive Search

Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358

View products that this article applies to.
Article ID:905215
Last Review:October 18, 2007
Revision:3.4
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry
On This Page

SYMPTOMS

After you install security update 896358, some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control.

Note This article contains information that is supplemental to the following Microsoft Knowledge Base articles:
896358 (http://support.microsoft.com/kb/896358/) MS05-026: A vulnerability in HTML Help could allow remote code execution

Back to the top

CAUSE

This issue occurs because security update 896358 includes changes to the HTML Help ActiveX control. Previously, you could use any valid URL scheme in a parameter tag. After you install security update 896358, only the following URL schemes are supported:
file
http
https
ftp
its
ms-its
mk:@msitstore
hcp
Microsoft introduced this change to help reduce security vulnerabilities in HTML Help.

Back to the top

RESOLUTION

Warning The symptom is an expected and intended effect of installing the security update. This section provides a workaround to re-enable additional schemes for business-critical programs. This workaround may make the computer more vulnerable to the threats that security update 896358 addresses. The safest course is not to use this workaround. If you must use this workaround, enable only those URL schemes that your business-critical programs require.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You can use the registry to re-enable URL schemes that you want to use in HTML Help ActiveX control parameters. For example, suppose you want to enable the news and mailto URL schemes for use in a See Also control. Doing this would enable the See Also control to start newsgroups and e-mail. The following .reg file re-enables these URL schemes.

Note You can paste the following text in a text editor such as Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"ProtocolAllowList"="news:;mailto:"

Back to the top

Deploying the registry keys across a domain

We recommend that you use Group Policy to deploy the settings in the examples earlier in this article as startup scripts. You can also deploy these settings as logon scripts. However, this method is less desirable because of permissions constraints.

The following steps show one way to deploy the settings in the first example as a Group Policy startup script.
1.Paste the following text into a text editor such as Notepad.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"ProtocolAllowList"="news:;mailto:"
2.Save the file. Name the file AllowTrustedProtocols.reg.
3.Paste the following text in a text editor such as Notepad.
REGEDIT.EXE /S AllowTrustedProtocols.reg
4.Save the file. Name the file AllowTrustedProtocols.bat.
5.Import this batch file into the Group Policy object (GPO). To do this, follow these steps:
a. Copy the batch file and the .reg file to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
b. On the computer on which you want to run the GPO, click Start, click Run, type dsa.msc, and then click OK.
c. Right-click your domain, and then click Properties.
d. Click Group Policy, and then click New.
e. Type the name that you want to use for this policy, and then press ENTER.
f. Click Edit.
g. Expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), double-click Startup in the right panel, and then click Add in the Startup Properties dialog box.
h. Locate and then click the AllowTrustedProtocols.bat file.
i. Click Add.
j. Click OK, click Yes, click OK, and then click OK again.

Back to the top

MORE INFORMATION

This article contains information that is supplemental to Microsoft Knowledge Base article 896358 (http://support.microsoft.com/kb/896358/en-us/).

Back to the top

Overview and examples for system administrators

For more information about security update 896358 and how you can re-enable Web applications that are affected by this update, click the following article number to view the article in the Microsoft Knowledge Base:
896358 (http://support.microsoft.com/kb/896358/) MS05-026: A vulnerability in HTML Help could allow remote code execution

Back to the top

Group Policy

For more information about Group Policy, visit the following Microsoft Web sites:
Group Policy collection
http://technet2.microsoft.com/windowsserver/en/library/6d7cb788-b31d-4d17-9f1e-b5ddaa6deecd1033.mspx (http://technet2.microsoft.com/windowsserver/en/library/6d7cb788-b31d-4d17-9f1e-b5ddaa6deecd1033.mspx)
What is Group Policy Object Editor?
http://technet2.microsoft.com/windowsserver/en/library/47ba1311-6cca-414f-98c9-2d7f99fca8a31033.mspx (http://technet2.microsoft.com/windowsserver/en/library/47ba1311-6cca-414f-98c9-2d7f99fca8a31033.mspx)
Core Group Policy tools and settings
http://technet2.microsoft.com/windowsserver/en/library/e926577a-5619-4912-b5d9-e73d4bdc94911033.mspx (http://technet2.microsoft.com/windowsserver/en/library/e926577a-5619-4912-b5d9-e73d4bdc94911033.mspx)

Back to the top

Technical support for x64-based versions of Microsoft Windows

On computers that are running x64-based versions of Microsoft Windows, you may have to adapt the instructions in the "Resolution" section about how to modify the registry. For example, you might have to modify a different part of the registry, depending on whether you want to modify the 32-bit or the 64-bit functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
896459 (http://support.microsoft.com/kb/896459/) Registry changes in Windows x64 Edition-based operating systems
Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspx (http://www.microsoft.com/windowsxp/64bit/default.mspx)
For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:
http://technet.microsoft.com/windowsserver/bb430829.aspx (http://technet.microsoft.com/windowsserver/bb430829.aspx)

Back to the top

APPLIES TO
Microsoft Windows Server 2003 Service Pack 1, when used with:
  Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows XP Professional 64-Bit Edition (Itanium)
Microsoft Windows XP for Itanium-based Systems Version 2003
Microsoft Windows Millennium Edition
Microsoft Windows 98 Second Edition

Back to the top

Keywords: 
kbsecurity kbtshoot kbprb KB905215

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.