Approved shell extensions
I am set policy Allow only per user or approved shell extensions (GPedit: User Configuration >> Administrative Templates >> Windows Components >> Windows Explorer)
Delete entry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Extensions was disabled in Windows XP. However in Windows 7 extensions was still enabled.
Is this policy functional in Windows 7?
October 6th, 2010 7:18pm
Hi,
Base on my test and research, this group policy will also function in Windows 7. But it may not apply to all shell extensions. There are many of them
(probably some of them with HKCU extensibility) that haven't been moved to the policy system yet.
More information, please refer to the following article:
The
Shell Extensions Approved list is *not* a complete list of shell extensions on the system
You may check if it is able to the run ShellExView to disable third party extension of Windows
Explorer and eliminate the one which cannot be disabled. To do so, please follow the steps below:
1. Download ShellExView v1.41 from the following link
http://www.nirsoft.net/utils/shexview.zip
Please Note: The third-party product discussed here is manufactured by a company that
is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability.
2. Right-click the "shexview.zip" file, select "Extract All", the Extraction Wizard will
prompt.
3. Click Next, input "C:\ShellExView" (without the quotation marks) in the "Files will be
extracted to this directory" textbox.
4. Click Next and click Finnish.
5. Open the "C:\ShellExView" folder and double-click the "shexview.exe" file. It will scan
the registry for all the shell extensions.
6. Select all the non-Microsoft extensions in pink one by one by press "Ctrl" in the keyboard.
7. Click the "Disable Selected Items" on the toolbar and click Yes.
8. Restart your computer and check if the issue is resolved.
Regards,
Sabrina
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
|Please remember to click “Mark as Answer” on the post that helps you, and to
click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 4:33am
Hi,
ShellExView or Registry can disable extensions:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked]
"{024CFC5C-4391-4EDD-86BA-5316B041A1D1}"=""
My test (file FolderBackgroundShellExt.dll :
http://www.moonsoftware.com/shelltools.asp / extension can be disabled with policy in Windows XP):
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024CFC5C-4391-4EDD-86BA-5316B041A1D1}]
@="FolderBackground shell context menu extension"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024CFC5C-4391-4EDD-86BA-5316B041A1D1}\InprocServer32]
@="C:\\1ext\\FolderBackgroundShellExt.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ShellToolsFolderBackground]
@="{024CFC5C-4391-4EDD-86BA-5316B041A1D1}"
Regards,
Libor
October 7th, 2010 6:46am
Hi Libor,
Thank you for your posting.
I will test this issue and update the result as soon as possible.
Regards,
Sabrina
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2010 6:06am
Hi Libor,
After research and test, I found the registry key EnforceShellExtensionSecurity stores configuration data for the policy setting
Allow only per user or approved shell extensions.
The
Approved key and the
EnforceShellExtensionSecurity policy are an administrator's way of controlling which shell extensions are allowed to run. If the
EnforceShellExtensionSecurity policy is turned on, the shell will only run shell extensions that are registered under the Approved key. If the
EnforceShellExtensionSecurity policy is turned off, any shell extension can be run, whether or not it is registered under the Approved key.
EnforceShellExtensionSecurity is a REG_DWORD value placed under
the following key:
<samp>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
</samp>
EnforceShellExtensionSecurity is off when the value is zero or is removed, and on when the value is 1.
Therefore, I suggest go to check the
EnforceShellExtensionSecurity in the registry key. If its value is 0 or it is removed, please go to create a new
REG_DWORD, rename it as EnforceShellExtensionSecurity
and change its value as 1 to test this issue.
Before modify the registry keys, please
take a backup of the key.
For more information about how to back up and restore the registry, please click the following link to view the article:
Back up the registry
Regards,
Sabrina
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
October 11th, 2010 1:48am
Hi Sabrina,
Policy is enabled and value EnforceShellExtensionSecurity is present (1).
My shell extension is not registered under the Approved key and can be run (http://www.adminxp.com/temp/enforce.zip / file created with Problem Steps Recorder).
I research if this policy can disable unknown shell extension, however in the Windows 7 shell extension can be run without register in the Approved key.
Shell extension can be disabled if remove value (CLSID) from the Approved key in the Windows XP. However user can add CLSID value in the Approved key.
Regards,
Libor
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2010 10:58am
Hi
Libor,
Thank you for your feedback. I will report this issue.
Regards,
Sabrina
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
October 13th, 2010 4:06am
Based on the information you have provided, it should have worked as expected.
A paid support incident would be required to full determine where your scenario is failing.
David J. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 4:36pm