Background
Provider dynamic-link libraries (DLLs) are usually used by add-ins or as standalone integrations to change or extend Microsoft Outlook functionality, such as the Address Book. However, attackers can also use DLLs to compromise computer or network security. To help increase security, MAPI now blocks Provider DLLs from being loaded if they are registered incorrectly.
Whenever possible, you should register a Provider DLL by using MapiSvc.inf, as described in File format of MapiSvc.inf. However, registering a Provider DLL may not always be possible. For example, add-ins may automatically register a Provider DLL during the installation process, or out-of-support add-ins may not register a Provider DLL correctly and cannot be fixed.
This article describes the symptoms that you may experience if a Provider DLL is registered incorrectly, and provides a workaround to let MAPI load a Provider DLL if the DLL cannot be registered correctly.
This article contains information that shows how to help reduce security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you choose to implement this workaround, take any appropriate additional steps to help protect your system.
Symptoms
You may experience the following symptoms if MAPI blocks a Provider DLL.
Symptom 1
You receive an error message that resembles the following:
An unexpected error has occurred. MAPI was unable to load the information service <DLL name>. Be sure the service is correctly installed and configured.
Additionally, Outlook generates one or more error level entries in Windows Event Viewer. This event log entry includes the path of the Provider DLL that is blocked. This log entry also includes a link to more information about how to correctly register the Provider DLL through MapiSvc.inf.
Symptom 2
The functionality that is provided by the DLL is no longer available. You may see unexpected behavior or additional error messages, depending on which functionality is affected.
Notes
-
The symptoms that you experience may change, depending on how the add-in responds to having the Provider DLL blocked. For example, error messages may appear every time, may appear only one time, or may not appear at all. Therefore, if an error message stops appearing, this does not indicate that the issue is resolved.
-
If you do not take any action, MAPI continues to block this Provider DLL every time that it is requested. You may continue to see error messages and event log entries (similar to the following screenshot), and any affected add-in functionality continues to be affected in each Outlook session.
Event Description:
Localization: %1 is the provider DLL filename that MAPI will block. This can contain any alphanumeric characters which are valid for a filename. Example: "EMSMDB.DLL"
MessageId: OUTL_EVENT_ID_BLOCK_WARNING_FILESPEC_PROVIDER
MessageText: Security warning loading %1. This MAPI provider DLL might be harmful to your system. You should only load DLLs from trusted providers that have been registered in MapiSvc.Inf. This provider DLL will be blocked in a future Outlook client update and its functionality will no longer be available. For more information about registering provider DLLs, see https://go.microsoft.com/fwlink/?linkid=2009861&clcid=0x409.
Workaround
Important We do not recommend that you apply this workaround because it may make your computer or network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommended that the Provider DLL be registered through MapiSvc.inf to help protect the computer and network. For more information about how to register Provider DLLs correctly, see File format of MapiSvc.inf.
Note There are specific conditions in which this workaround enables a Provider DLL to be loaded:
-
The Provider DLL path must contain no directory components. Review the error message and Windows event log entries to view the path. For security reasons, MAPI does not allow a Provider DLL path that has any directory components to be loaded by using this workaround. In this case, the Provider DLL should be registered by using MapiSvc.inf instead because MapiSvc.inf allows Provider DLLs to be registered at an arbitrary path.
-
The Provider DLL must exist either in the Office16 path of where Office is installed or in the Windows System32 directory. If the Provider DLL is not located in either of these locations, MAPI cannot find and cannot load the Provider DLL through the workaround steps.
If these conditions are not met, this workaround cannot be used, and the Provider DLL should be registered through MapiSvc.inf.
Warning:
-
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
-
Before you apply this workaround, confirm that MAPI is loading the correct Provider DLL. To do this, review the path provided in the error message or the Windows event log entry together with the set of directories that MAPI will search. It is unsafe to load an arbitrary Provider DLL.
-
Open Registry Editor, and then locate the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security -
If the Security key does not already exist, create it by selecting the Outlook key, and then Edit > New > Key. Make sure that you name the new key correctly.
-
Create a registry key under Security that is named TrustedProviders. Verify that the path of the TrustedProviders subkey is as follows:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\TrustedProviders -
Optionally, you may instead create the TrustedProviders key at the following registry location:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Security -
In the TrustedProviders key, add a new String Value, and then set the Name field to the Provider DLL path (including the file name extension ".dll") from the error message or Windows event log entry. For example, the path in the example error message in the screenshot is MyProvider.dll. To enable MAPI to load this Provider DLL, enter MyProvider.dll as the Name. Remember that only paths without directory components are valid for this workaround. Be aware that no text is required in the Data field.
Notes-
On the disk, the Provider DLL name includes a suffix of "32" (for example, "myprovider32.dll"). This "32" suffix should not be included in the registry entry. This behavior matches the expectation of MapiSvc.inf that also requires that the "32" suffix is not included.
-
The Name field is case-insensitive.
-
-
You must create a unique registry entry for each Provider DLL that is being blocked. Repeat step 5 for each blocked Provider DLL. Make sure that you doublecheck the path of each Provider DLL through the error message or Windows event log before you add it to this list. This behavior make sure that the Provider DLL is expected to load. Additionally, if the path contains any directory components, it can be registered only through MapiSvc.inf for security reasons.
-
Start Outlook, and verify that the errors are resolved. If the behavior of any add-ins was affected, verify that it now functions as expected.
More information
This article applies only to Office 365 subscription versions of Office or Outlook. It does not apply to the following Office versions:
-
Earlier Office versions (such as Office 2010 and Office 2013)
-
Perpetual versions of Office 2016 that use the Windows Installer (MSI) installation technology
-
Office 2019
On these versions, MAPI will do some security checks but will not strictly enforce the same requirements.
