Caution:Ā This article contains information that shows you how to control security settings for Office. You can make changes to these security settings to either increase or lower your security posture. Before you make these changes, we recommend that you evaluate the risks associated with any changes you make to configure this setting.Ā
INTRODUCTION
This article describes settings available forĀ users and IT administrators to control whetherĀ and how COMĀ objects load by having a Microsoft Office kill bit list.Ā Ā
For more information about the Windows Internet Explorer kill bit behavior that this feature is based on, includingĀ how to setĀ AlternateCLSIDsĀ that allow updated ActiveX controls to load, seeĀ How to stop an ActiveX control from running in Internet Explorer.Ā Ā This guidance applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.Ā Ā
Office COM kill bitĀ
The Office COM kill bit was introduced in the security update MS10-036 to prevent specific COM objects from running when embedded or linked from Office documents.Ā Ā
The COM Kill bit functionality has been updated inĀ KB3178703Ā to completely block COM objects from being activated in-process by Office. This update is a superset of the original behavior wherein, in addition to blocking COM objects embedded or linked in Office documents, this will block any instances of COM objects being loaded within the Office process through other means like Add-Ins.Ā
These specific COM objects include ActiveX controls and OLE objects. Through the registry, you can independently control which COM objects are blocked when you use Office.Ā
Note:Ā We do not recommend that you remove the kill bit that's set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical. Therefore, you must be extremely careful when youĀ unkillĀ an ActiveX control.Ā Ā Ā You can add anĀ AlternateCLSIDĀ (also known as a āPhoenix bitā) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports theĀ AlternateCLSIDĀ only when ActiveX control COM objects are used.Ā Ā Ā Note:Ā The kill bit list for Office takes precedence over the kill bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But theĀ AlternateCLSIDĀ is set on only the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill bit settings take precedence, and the control is not loaded.Ā
Setting the Office COM kill bit
Important:Ā
-
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:Ā Ā
-
322756Ā How to back up and restore the registry in WindowsĀ Ā
The location for setting the Office COM kill bit in the registry is as follows:Ā Ā
ForĀ Office 2013Ā andĀ Office 2010:
-
For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows).
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Common\COM Compatibility\{CLSID}
For 32-bit Office on 64-bit Windows:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{CLSID}
ForĀ Office 2016:
-
For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows):
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}
-
For 32-bit Office on 64-bit Windows:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}
In this case,Ā CLSIDĀ is the class identifier of the COM object.Ā Ā
To enable the Office COM kill bit, follow theseĀ steps:
-
Add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading.
-
Add a REG_DWORD to this subkey called Compatibility FlagsĀ and set its value to 0x00000400.
For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24}Ā on Office 2016, follow these steps:Ā
-
Locate the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility
-
Add a subkey with the valueĀ {77061A9C-2F18-4f38-B294-F6BCC8443D24}.Ā In this case, the resulting path is as follows:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24}
-
Add a REG_DWORD to this subkey that's namedĀ Compatibility Flags, and set its value to 0x00000400.
The Office COM kill bit is now set to block this object from being activated within Office.Ā
How toĀ only blockĀ COMĀ inĀ linking and embedding scenariosĀ
As mentioned, the COM kill bit functionality has been updated to block all activation of specified COM objects from within Office.Ā Ā
In order to only block COM objects that are embedded or linked from within Office documents, follow these steps:Ā Ā
-
Add the CLSID to the COM kill bit per the instructions under "Setting the Office Kill Bit"Ā (if it's not on the list already)
-
Under the subkey for the CLSID that's blocked, add a REG_DWORD value that's namedĀ ActivationFilterOverride, and set its value to 0x00000001.
For example, to configure the COM kill bit to block only in linking and embedding scenariosĀ for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24}Ā on Office 2016, follow these steps:
-
Locate the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM CompatibilityĀ
-
Add a subkey that has the valueĀ {77061A9C-2F18-4f38-B294-F6BCC8443D24}.Ā In this case, the resulting path is as follows:Ā HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24}Ā
-
Add a REG_DWORD value to this subkey that's namedĀ Compatibility Flags, and set its value to 0x00000400.Ā
-
Add a REG_DWORD to this subkey called ActivationFilterOverride, and set its value to 0x00000001.Ā
The Office COM kill bit is now set to block this COM object only if it's linked or embedded in Office documents.Ā
Controls that are blockedĀ from ActivationĀ by default
|
Control |
CLSID |
|
ScriptMoniker |
06290BD3-48AA-11D2-8432-006008C3FBFC |
|
SoapActivator |
ECABAFD0-7F19-11D2-978E-0000F8757E2A |
|
SoapMoniker |
ECABB0C7-7F19-11D2-978E-0000F8757E2A |
|
PartitionMoniker |
ECABB0C5-7F19-11D2-978E-0000F8757E2A |
|
QueueMoniker |
ECABAFC7-7F19-11D2-978E-0000F8757E2A |
|
HTMLApplication |
3050F4D8-98B5-11CF-BB82-00AA00BDCE0B |
|
ScripletContext |
06290BD0-48AA-11D2-8432-006008C3FBFC |
|
ScripletConstructor |
06290BD1-48AA-11D2-8432-006008C3FBFC |
|
ScripletFactory |
06290BD2-48AA-11D2-8432-006008C3FBFC |
|
ScripletHostEncode |
06290BD4-48AA-11D2-8432-006008C3FBFC |
|
ScripletTypeLib |
06290BD5-48AA-11D2-8432-006008C3FBFC |
|
ScripletHandler_Automation |
06290BD8-48AA-11D2-8432-006008C3FBFC |
|
ScripletHandler_Event |
06290BD9-48AA-11D2-8432-006008C3FBFC |
|
ScripletHandler_ASP |
06290BDA-48AA-11D2-8432-006008C3FBFC |
|
ScripletHandler_Behavior |
06290BDB-48AA-11D2-8432-006008C3FBFC |
|
XMLFeed |
528D46B3-3A4B-4B13-BF74-D9CBD7306E07 |
|
Scriptlet |
AE24FDAE-03C6-11D1-8B76-0080C744F389 |
|
HtmlFile_FullWindowEmbed |
25336921-03F9-11CF-8FD0-00AA00686F13 |
|
Mhtmlfile |
3050F3D9-98B5-11CF-BB82-00AA00BDCE0B |
|
Microsoft HTA Document 6.0 |
3050F5C8-98B5-11CF-BB82-00AA00BDCE0B |
|
DHTMLEdit.DHTMLEdit.1 |
2D360200-FFF5-11D1-8D03-00A0C959BC0A |
|
DHTMLSafe.DHTMLSafe.1 |
2D360201-FFF5-11D1-8D03-00A0C959BC0A |
|
VB Script Language |
B54F3741-5B07-11cf-A4B0-00AA004A55E8 |
|
VB Script Language Authoring |
B54F3742-5B07-11cf-A4B0-00AA004A55E8 |
|
VBScript Language Encoding |
B54F3743-5B07-11cf-A4B0-00AA004A55E8 |
|
VBScript Host Encode |
85131631-480C-11D2-B1F9-00C04F86C324 |
|
Shockwave Flash Object |
D27CDB6E-AE6D-11cf-96B8-444553540000 |
|
Macromedia Flash Factory Object |
D27CDB70-AE6D-11cf-96B8-444553540000 |
|
Microsoft Silverlight |
DFEAF541-F3E1-4c24-ACAC-99C30715084A |
|
Adobe Shockwave Player |
233C1507-6A77-46A4-9443-F871F945D258 |
|
Python control |
DF630910-1C1D-11D0-AE36-8C0F5E000000 |
Controls that are blocked from Embedding by default
|
Control |
CLSID |
|
Shell.Explorer.2 |
8856F961-340A-11D0-A96B-00C04FD705A2 |
|
Htmlfile |
25336920-03F9-11CF-8FD0-00AA00686F13 |
|
Microsoft HTML Document for Popup Window |
3050F67D-98B5-11CF-BB82-00AA00BDCE0B |
Note:Ā This list is a snapshot of controls that are blocked, and is subject to changeĀ
