Caution: This article contains information that shows you how to control security settings for Office. You can make changes to these security settings to either increase or lower your security posture. Before you make these changes, we recommend that you evaluate the risks associated with any changes you make to configure this setting.
INTRODUCTION
This article describes settings available for users and IT administrators to control whether and how COM objects load by having a Microsoft Office kill bit list.
For more information about the Windows Internet Explorer kill bit behavior that this feature is based on, including how to set AlternateCLSIDs that allow updated ActiveX controls to load, see How to stop an ActiveX control from running in Internet Explorer. This guidance applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.
Office COM kill bit
The Office COM kill bit was introduced in the security update MS10-036 to prevent specific COM objects from running when embedded or linked from Office documents.
The COM Kill bit functionality has been updated in KB3178703 to completely block COM objects from being activated in-process by Office. This update is a superset of the original behavior wherein, in addition to blocking COM objects embedded or linked in Office documents, this will block any instances of COM objects being loaded within the Office process through other means like Add-Ins.
These specific COM objects include ActiveX controls and OLE objects. Through the registry, you can independently control which COM objects are blocked when you use Office.
Note: We do not recommend that you remove the kill bit that's set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical. Therefore, you must be extremely careful when you unkill an ActiveX control.
You can add an AlternateCLSID (also known as a “Phoenix bit”) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used. Note: The kill bit list for Office takes precedence over the kill bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is set on only the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill bit settings take precedence, and the control is not loaded.Setting the Office COM kill bit
Important:
-
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
-
322756 How to back up and restore the registry in Windows
The location for setting the Office COM kill bit in the registry is as follows:
For Office 2013 and Office 2010:
-
For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows).
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Common\COM Compatibility\{CLSID}
For 32-bit Office on 64-bit Windows:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{CLSID}
For Office 2016:
-
For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows):
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}
-
For 32-bit Office on 64-bit Windows:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}
In this case, CLSID is the class identifier of the COM object.
To enable the Office COM kill bit, follow these steps:
-
Add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading.
-
Add a REG_DWORD to this subkey called Compatibility Flags and set its value to 0x00000400.
For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016, follow these steps:
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility -
Add a subkey with the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24} -
Add a REG_DWORD to this subkey that's named Compatibility Flags, and set its value to 0x00000400.
The Office COM kill bit is now set to block this object from being activated within Office.
How to only block COM in linking and embedding scenarios
As mentioned, the COM kill bit functionality has been updated to block all activation of specified COM objects from within Office.
In order to only block COM objects that are embedded or linked from within Office documents, follow these steps:
-
Add the CLSID to the COM kill bit per the instructions under "Setting the Office Kill Bit" (if it's not on the list already)
-
Under the subkey for the CLSID that's blocked, add a REG_DWORD value that's named ActivationFilterOverride, and set its value to 0x00000001.
For example, to configure the COM kill bit to block only in linking and embedding scenarios for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016, follow these steps:
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility -
Add a subkey that has the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24} -
Add a REG_DWORD value to this subkey that's named Compatibility Flags, and set its value to 0x00000400.
-
Add a REG_DWORD to this subkey called ActivationFilterOverride, and set its value to 0x00000001.
The Office COM kill bit is now set to block this COM object only if it's linked or embedded in Office documents.
Controls that are blocked from Activation by default
Control |
CLSID |
ScriptMoniker |
06290BD3-48AA-11D2-8432-006008C3FBFC |
SoapActivator |
ECABAFD0-7F19-11D2-978E-0000F8757E2A |
SoapMoniker |
ECABB0C7-7F19-11D2-978E-0000F8757E2A |
PartitionMoniker |
ECABB0C5-7F19-11D2-978E-0000F8757E2A |
QueueMoniker |
ECABAFC7-7F19-11D2-978E-0000F8757E2A |
HTMLApplication |
3050F4D8-98B5-11CF-BB82-00AA00BDCE0B |
ScripletContext |
06290BD0-48AA-11D2-8432-006008C3FBFC |
ScripletConstructor |
06290BD1-48AA-11D2-8432-006008C3FBFC |
ScripletFactory |
06290BD2-48AA-11D2-8432-006008C3FBFC |
ScripletHostEncode |
06290BD4-48AA-11D2-8432-006008C3FBFC |
ScripletTypeLib |
06290BD5-48AA-11D2-8432-006008C3FBFC |
ScripletHandler_Automation |
06290BD8-48AA-11D2-8432-006008C3FBFC |
ScripletHandler_Event |
06290BD9-48AA-11D2-8432-006008C3FBFC |
ScripletHandler_ASP |
06290BDA-48AA-11D2-8432-006008C3FBFC |
ScripletHandler_Behavior |
06290BDB-48AA-11D2-8432-006008C3FBFC |
XMLFeed |
528D46B3-3A4B-4B13-BF74-D9CBD7306E07 |
Scriptlet |
AE24FDAE-03C6-11D1-8B76-0080C744F389 |
HtmlFile_FullWindowEmbed |
25336921-03F9-11CF-8FD0-00AA00686F13 |
Mhtmlfile |
3050F3D9-98B5-11CF-BB82-00AA00BDCE0B |
Microsoft HTA Document 6.0 |
3050F5C8-98B5-11CF-BB82-00AA00BDCE0B |
DHTMLEdit.DHTMLEdit.1 |
2D360200-FFF5-11D1-8D03-00A0C959BC0A |
DHTMLSafe.DHTMLSafe.1 |
2D360201-FFF5-11D1-8D03-00A0C959BC0A |
VB Script Language |
B54F3741-5B07-11cf-A4B0-00AA004A55E8 |
VB Script Language Authoring |
B54F3742-5B07-11cf-A4B0-00AA004A55E8 |
VBScript Language Encoding |
B54F3743-5B07-11cf-A4B0-00AA004A55E8 |
VBScript Host Encode |
85131631-480C-11D2-B1F9-00C04F86C324 |
Shockwave Flash Object |
D27CDB6E-AE6D-11cf-96B8-444553540000 |
Macromedia Flash Factory Object |
D27CDB70-AE6D-11cf-96B8-444553540000 |
Microsoft Silverlight |
DFEAF541-F3E1-4c24-ACAC-99C30715084A |
Adobe Shockwave Player |
233C1507-6A77-46A4-9443-F871F945D258 |
Python control |
DF630910-1C1D-11D0-AE36-8C0F5E000000 |
Controls that are blocked from Embedding by default
Control |
CLSID |
Shell.Explorer.2 |
8856F961-340A-11D0-A96B-00C04FD705A2 |
Htmlfile |
25336920-03F9-11CF-8FD0-00AA00686F13 |
Microsoft HTML Document for Popup Window |
3050F67D-98B5-11CF-BB82-00AA00BDCE0B |
Note: This list is a snapshot of controls that are blocked, and is subject to change