Applies ToMicrosoft 365 Apps for enterprise Office 2013 SP1 Microsoft Office 2010 Service Pack 2 Office Professional Plus 2016

This article contains information that shows you how to control security settings for Office. You can make changes to these security settings to either increase or lower your security posture. Before you make these changes, we recommend that you evaluate the risks associated with any changes you make to configure this setting. 

INTRODUCTION

This article describes settings available for users and IT administrators to control whether and how COM objects load by having a Microsoft Office kill bit list.  

For more information about the Windows Internet Explorer kill bit behavior that this feature is based on, including how to set AlternateCLSIDs that allow updated ActiveX controls to load, see How to stop an ActiveX control from running in Internet Explorer   This guidance applies to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.  

Office COM kill bit 

The Office COM kill bit was introduced in the security update MS10-036 to prevent specific COM objects from running when embedded or linked from Office documents.  

The COM Kill bit functionality has been updated in KB3178703 to completely block COM objects from being activated in-process by Office. This update is a superset of the original behavior wherein, in addition to blocking COM objects embedded or linked in Office documents, this will block any instances of COM objects being loaded within the Office process through other means like Add-Ins. 

These specific COM objects include ActiveX controls and OLE objects. Through the registry, you can independently control which COM objects are blocked when you use Office. 

Note: We do not recommend that you remove the kill bit that's set for a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical. Therefore, you must be extremely careful when you unkill an ActiveX control.     You can add an AlternateCLSID (also known as a “Phoenix bit”) when you have to relate the CLSID of a new ActiveX control (and this ActiveX control was modified to reduce the security threat), to the CLSID of the ActiveX control to which the Office COM kill bit was applied. Office supports the AlternateCLSID only when ActiveX control COM objects are used.    Note: The kill bit list for Office takes precedence over the kill bit list for Internet Explorer. For example, the Office COM kill bit and Internet Explorer ActiveX kill bit may be set for the same ActiveX control. But the AlternateCLSID is set on only the list for Internet Explorer. In this scenario, there is a conflict between the two settings. In such instances, the Office COM kill bit settings take precedence, and the control is not loaded. 

Setting the Office COM kill bit

  • This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:  

  • 322756 How to back up and restore the registry in Windows  

The location for setting the Office COM kill bit in the registry is as follows:  

For Office 2013 and Office 2010:

  • For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows).

    HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Common\COM Compatibility\{CLSID}

For 32-bit Office on 64-bit Windows:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{CLSID}

For Office 2016:

  • For 64-bit Office on 64-bit Windows (or 32-bit Office on 32-bit Windows):

    HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}

  • For 32-bit Office on 64-bit Windows:

    HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{CLSID}

In this case, CLSID is the class identifier of the COM object.  

To enable the Office COM kill bit, follow these steps:

  1. Add the registry subkey together with the CLSID of the ActiveX control or OLE object that you want to block from loading.

  2. Add a REG_DWORD to this subkey called Compatibility Flags and set its value to 0x00000400.

For example, to set the Office COM kill bit for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016, follow these steps: 

  1. Locate the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility

  2. Add a subkey with the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24}

  3. Add a REG_DWORD to this subkey that's named Compatibility Flags, and set its value to 0x00000400.

The Office COM kill bit is now set to block this object from being activated within Office. 

How to only block COM in linking and embedding scenarios 

As mentioned, the COM kill bit functionality has been updated to block all activation of specified COM objects from within Office.  

In order to only block COM objects that are embedded or linked from within Office documents, follow these steps:  

  1. Add the CLSID to the COM kill bit per the instructions under "Setting the Office Kill Bit" (if it's not on the list already)

  2. Under the subkey for the CLSID that's blocked, add a REG_DWORD value that's named ActivationFilterOverride, and set its value to 0x00000001.

For example, to configure the COM kill bit to block only in linking and embedding scenarios for an object that has CLSID {77061A9C-2F18-4f38-B294-F6BCC8443D24} on Office 2016, follow these steps:

  1. Locate the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility 

  2. Add a subkey that has the value {77061A9C-2F18-4f38-B294-F6BCC8443D24}. In this case, the resulting path is as follows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{77061A9C-2F18-4f38-B294-F6BCC8443D24} 

  3. Add a REG_DWORD value to this subkey that's named Compatibility Flags, and set its value to 0x00000400

  4. Add a REG_DWORD to this subkey called ActivationFilterOverride, and set its value to 0x00000001

The Office COM kill bit is now set to block this COM object only if it's linked or embedded in Office documents. 

Controls that are blocked from Activation by default

Control

CLSID

ScriptMoniker

06290BD3-48AA-11D2-8432-006008C3FBFC

SoapActivator

ECABAFD0-7F19-11D2-978E-0000F8757E2A

SoapMoniker

ECABB0C7-7F19-11D2-978E-0000F8757E2A

PartitionMoniker

ECABB0C5-7F19-11D2-978E-0000F8757E2A

QueueMoniker

ECABAFC7-7F19-11D2-978E-0000F8757E2A

HTMLApplication

3050F4D8-98B5-11CF-BB82-00AA00BDCE0B

ScripletContext

06290BD0-48AA-11D2-8432-006008C3FBFC

ScripletConstructor

06290BD1-48AA-11D2-8432-006008C3FBFC

ScripletFactory

06290BD2-48AA-11D2-8432-006008C3FBFC

ScripletHostEncode

06290BD4-48AA-11D2-8432-006008C3FBFC

ScripletTypeLib

06290BD5-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Automation

06290BD8-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Event

06290BD9-48AA-11D2-8432-006008C3FBFC

ScripletHandler_ASP

06290BDA-48AA-11D2-8432-006008C3FBFC

ScripletHandler_Behavior

06290BDB-48AA-11D2-8432-006008C3FBFC

XMLFeed

528D46B3-3A4B-4B13-BF74-D9CBD7306E07

Scriptlet

AE24FDAE-03C6-11D1-8B76-0080C744F389

HtmlFile_FullWindowEmbed

25336921-03F9-11CF-8FD0-00AA00686F13

Mhtmlfile

3050F3D9-98B5-11CF-BB82-00AA00BDCE0B

Microsoft HTA Document 6.0

3050F5C8-98B5-11CF-BB82-00AA00BDCE0B

DHTMLEdit.DHTMLEdit.1

2D360200-FFF5-11D1-8D03-00A0C959BC0A

DHTMLSafe.DHTMLSafe.1

2D360201-FFF5-11D1-8D03-00A0C959BC0A

VB Script Language

B54F3741-5B07-11cf-A4B0-00AA004A55E8

VB Script Language Authoring

B54F3742-5B07-11cf-A4B0-00AA004A55E8

VBScript Language Encoding

B54F3743-5B07-11cf-A4B0-00AA004A55E8

VBScript Host Encode

85131631-480C-11D2-B1F9-00C04F86C324

Shockwave Flash Object

D27CDB6E-AE6D-11cf-96B8-444553540000

Macromedia Flash Factory Object

D27CDB70-AE6D-11cf-96B8-444553540000

Microsoft Silverlight

DFEAF541-F3E1-4c24-ACAC-99C30715084A

Adobe Shockwave Player

233C1507-6A77-46A4-9443-F871F945D258

Python control

DF630910-1C1D-11D0-AE36-8C0F5E000000

Controls that are blocked from Embedding by default

Control

CLSID

Shell.Explorer.2

8856F961-340A-11D0-A96B-00C04FD705A2

Htmlfile

25336920-03F9-11CF-8FD0-00AA00686F13

Microsoft HTML Document for Popup Window

3050F67D-98B5-11CF-BB82-00AA00BDCE0B

Note: This list is a snapshot of controls that are blocked, and is subject to change 

Facebook LinkedIn Adres e-mail
ZASUBSKRYBUJ KANAŁY INFORMACYJNE RSS

Potrzebujesz dalszej pomocy?

Chcesz uzyskać więcej opcji?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders