Approved shell extensions
I am set policy Allow only per user or approved shell extensions (GPedit: User Configuration >> Administrative Templates >> Windows Components >> Windows Explorer) Delete entry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Extensions was disabled in Windows XP. However in Windows 7 extensions was still enabled. Is this policy functional in Windows 7?
October 6th, 2010 7:18pm

Hi, Base on my test and research, this group policy will also function in Windows 7. But it may not apply to all shell extensions. There are many of them (probably some of them with HKCU extensibility) that haven't been moved to the policy system yet. More information, please refer to the following article: The Shell Extensions Approved list is *not* a complete list of shell extensions on the system You may check if it is able to the run ShellExView to disable third party extension of Windows Explorer and eliminate the one which cannot be disabled. To do so, please follow the steps below: 1. Download ShellExView v1.41 from the following link http://www.nirsoft.net/utils/shexview.zip Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability. 2. Right-click the "shexview.zip" file, select "Extract All", the Extraction Wizard will prompt. 3. Click Next, input "C:\ShellExView" (without the quotation marks) in the "Files will be extracted to this directory" textbox. 4. Click Next and click Finnish. 5. Open the "C:\ShellExView" folder and double-click the "shexview.exe" file. It will scan the registry for all the shell extensions. 6. Select all the non-Microsoft extensions in pink one by one by press "Ctrl" in the keyboard. 7. Click the "Disable Selected Items" on the toolbar and click Yes. 8. Restart your computer and check if the issue is resolved. Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 4:33am

Hi, ShellExView or Registry can disable extensions: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked] "{024CFC5C-4391-4EDD-86BA-5316B041A1D1}"="" My test (file FolderBackgroundShellExt.dll : http://www.moonsoftware.com/shelltools.asp / extension can be disabled with policy in Windows XP): [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024CFC5C-4391-4EDD-86BA-5316B041A1D1}] @="FolderBackground shell context menu extension" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024CFC5C-4391-4EDD-86BA-5316B041A1D1}\InprocServer32] @="C:\\1ext\\FolderBackgroundShellExt.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ShellToolsFolderBackground] @="{024CFC5C-4391-4EDD-86BA-5316B041A1D1}" Regards, Libor
October 7th, 2010 6:46am

Hi Libor, Thank you for your posting. I will test this issue and update the result as soon as possible. Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2010 6:06am

Hi Libor, After research and test, I found the registry key EnforceShellExtensionSecurity stores configuration data for the policy setting Allow only per user or approved shell extensions. The Approved key and the EnforceShellExtensionSecurity policy are an administrator's way of controlling which shell extensions are allowed to run. If the EnforceShellExtensionSecurity policy is turned on, the shell will only run shell extensions that are registered under the Approved key. If the EnforceShellExtensionSecurity policy is turned off, any shell extension can be run, whether or not it is registered under the Approved key. EnforceShellExtensionSecurity is a REG_DWORD value placed under the following key: <samp>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] </samp> EnforceShellExtensionSecurity is off when the value is zero or is removed, and on when the value is 1. Therefore, I suggest go to check the EnforceShellExtensionSecurity in the registry key. If its value is 0 or it is removed, please go to create a new REG_DWORD, rename it as EnforceShellExtensionSecurity and change its value as 1 to test this issue. Before modify the registry keys, please take a backup of the key. For more information about how to back up and restore the registry, please click the following link to view the article: Back up the registry Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 11th, 2010 1:48am

Hi Sabrina, Policy is enabled and value EnforceShellExtensionSecurity is present (1). My shell extension is not registered under the Approved key and can be run (http://www.adminxp.com/temp/enforce.zip / file created with Problem Steps Recorder). I research if this policy can disable unknown shell extension, however in the Windows 7 shell extension can be run without register in the Approved key. Shell extension can be disabled if remove value (CLSID) from the Approved key in the Windows XP. However user can add CLSID value in the Approved key. Regards, Libor
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2010 10:58am

Hi Libor, Thank you for your feedback. I will report this issue. Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 13th, 2010 4:06am

Based on the information you have provided, it should have worked as expected. A paid support incident would be required to full determine where your scenario is failing. David J. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 4:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics