组件 mscomctl.ocx、mscomct2.ocx、mswinsck.ocx:以编程方式设置 Kill-Bit
在 Windows 7 上,标题中列出的组件默认情况下似乎将“killbit”设置为 COMPAT_EVIL_DONT_LOAD(比较 MSDN),也就是说,它们在 HKLM\SW\IE\ActiveX Compatibility\{
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000400
当我将该值设置为 0 时(这就是 Nirsoft 的 ActiveX 兼容性管理器 在“激活”组件时执行),一切正常。
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000000
但这只是一个工作站的 GUI 解决方案。为了部署我们的软件,我需要一个安全稳定的程序(脚本或工具)来附带我们的软件,它不仅将“killbit”设置为 0 或删除注册表项(应该首选哪个程序?),而且检查如果没有必要的话,什么都不做。优选地,解决方案将仅传递文件名或文件列表,并自行处理其他必要的事情。
这就是更大的问题开始的地方:
- 关于 COM 对象,注册表是通过 CLSID 查询的,而不是通过 ocx 文件名(即 Windows 注册表中的 InProcServer32 条目)或 ( VersionIndependent)ProgID (HKLM\Software\Classes\CLSID\{
}\ )。您是否知道一种方法,即批处理/(PowerShell)脚本/工具/任何查询与 ocx 文件或至少 ProgID 根相关的 CLSID 的方法? - 我了解 Windows 2000 中的 CLSID 最多为 7?
- SlayOCX.vbs 似乎是一种低级方法,称为组策略,如 SlayOCX.vbs 和 此处,可以作为网络范围的解决方案。但是:它是一个vbs,在某些环境下关闭。此外,我最终会得到一个由该脚本检查的 CLSID 列表。例如,打包成一批,我可能无法让客户管理员以所描述的方式部署它,而是通过登录脚本或注册表中的 runonce 密钥或其他方式进行部署 - 不是很优雅。那么你有什么建议呢?我更喜欢一个解决方案(一个工具,7 中的一个新组策略,我还不知道,一个更复杂的脚本,对系统和安全配置问题的依赖性较小,...),这使得第一个信息问题变得多余。
On Windows 7, the COMponents listed in the title seem by default to have the "killbit" set to COMPAT_EVIL_DONT_LOAD (compare MSDN), that is, their Compatibility Flags in HKLM\SW\IE\ActiveX Compatibility\{<CLSID>}\ seem to be set to that value by default:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000400
When I set the value to 0 (that's what Nirsoft's ActiveX Compatibility Manager does when "activating" a COMponent), everything works fine.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000000
But this is just a GUI solution for one workstation. To deploy our software, I need a safe and stable procedure (script or tool) to ship with our software, that not only sets the "killbit" to 0 or deletes the registry entry (which procedure should be preferred?), but checks the situation before and does nothing if nothing is necessary. Preferably, the solution would just be passed over a file name or a list of files and proceeds everything else necessary on its own.
This is the point where the bigger questions begin:
- Regarding COM objects, the registry is queried by CLSID, not by ocx file name (that is the InProcServer32 entry in the Windows registry) nor by (VersionIndependent)ProgID (HKLM\Software\Classes\CLSID\{<CLSID>}\). Do you know a method, i.e., a batch / (PowerShell) script / tool / whatever to query the CLSIDs related to an ocx file or at least the ProgID radical?
- I understand the CLSID is constant in Windows 2000 up to 7?
- SlayOCX.vbs seems to be a low level approach that, called as a group policy as described in SlayOCX.vbs and here, could work as a network-wide solution. But: It's a vbs, switched off in some environments. Furthermore, I will end up with quite a list of CLSIDs to be checked by this script. Wrapped e.g. in a batch I will probably not be able to have it deployed by the customers' admins in the described way, but rather by logon script or runonce key in the registry or something -- not very elegant. So what would you suggest? I'd prefer a solution (a tool, a new group policy in 7 I don't know yet, a more sophisticated script with less dependency on system and security configuration issues, ...) that makes the first informational questions superfluous.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您想让您的客户在知情的情况下暴露于安全漏洞吗?我不是律师,但是...
根据这篇文章 ,提到的文件是“Supported Runtime Files to Distribute with Your Application”,您只需更新到最新版本即可。
另一篇文章详细介绍了必要的步骤(可能是较旧的更新,但仍然应该让您开始):Clickety
You want to expose your clients knowingly to security vulnerabilities? I am not a lawyer, but...
According to this post, the files mentioned are "Supported Runtime Files to Distribute with Your Application", you just need to update to the latest version.
Another post details the necessary steps (probably for an older update, but still it should get you started): Clickety
CLSID 注册表扫描程序 (COM/ActiveX)
是我对自己问题的回答。现在它正在发挥作用,这对我来说很重要。如果重写或至少翻新该程序,或者两者独立地进行,并摆脱旧帽子不是更好,那么这将是一个没有实际意义的讨论。没有实际意义,因为我不做出预算决定。
CLSID Registry Scanner (COM/ActiveX)
is my answer to my own question. It's working for now, that's important for me now. It would be a moot discussion if it was not better to rewrite or at least refurbish the program, or both independently, and get rid of old hats. Would be moot because I do not make our budget decisions.
除了 Treeview 之外,这些 OCX 的大多数用法都可以找到替换代码或 API 调用。显然,几年前就有一些德国注释的 API 代码可供购买用于树视图。无论如何,所有这些 OCX 都是 API 调用的包装器。
请参阅我网站上的日历提示页面
mswinsck 有点棘手,我不知道没有那个的 URL。不过,我确信可以找到可以在 VBA 中很好地工作的 VB6 代码。
博客发布 - 旧版本的 MSCOMM32.OCX 已设置“kill bit”标志。 尽管您没有提到这一点。
With the exception of the Treeview replacement code or API calls can be found for most usages of these OCXs. Apparently there was some German commented API code available for purchase years ago for the treeview. All these OCXs are is a wrapper for the API calls anyhow.
See the Calendar Tips page at my website
The mswinsck is a bit trickier and I don't have a URL for that one. However I'm sure there is VB6 code that can be found that will work quite nicely in VBA.
Blog posting - An older version of MSCOMM32.OCX has had the "kill bit" flag set. Although you don't mention this one.