FTP Shortcut (*.URL File) Tries To Connect When File Saved To Containing Folder

The ~ designates a users home directory on a Linux server and %20 characters represent spaces in a correctly URL-encoded query string or link.  The comma-delimited format of the directory name is very unusual.  When you refresh your desktop, Windows Explorer goes thru the links and requests an icon for that link from the program that is apparently assigned to that extention.  HTTP:// will be handled by the default web browser and FILE:// might also.  I'm not sure why Paint Shop Pro 7 (do you have my computer?) would be the assigned program for FTP://.

Thanks dave

That's a good point about Windows Explorer going through all the links looking for an icon to display.

The default icon, on a Windows XP system with IE8 as default browser, is the blue "e" icon resource in "C:\WINDOWS\system32\url.dll".  This is set in the registry key:
fetched from the registry key:
[HKEY_CLASSES_ROOT\InternetShortcut\DefaultIcon]
as:
%SystemRoot%\system32\url.dll,0

So, unless the target website has been visited and has downloaded and cached a "favicon", this does not have to be set against the "IconIndex=" and  "IconFile=" lines of the URL file.

An FTP site won't normally have a favicon to download and cache.

When I use the URL file's Properties dialog and change the icon to a locally stored *.ico file, I still get the notification.  The same is true if I use the IconFile and IconIndex values in the URL file's code to set this.

I did find a very old question of mine about IE7 Favorites, but it didn't hold any clues.

While it is generally accepted that "The Desktop" is just another folder with special attributes, I think that Windows Explorer calls "ieframe.dll" to read the values in *.URL files.  Given that Internet Explorer 8 is really ieframe.dll:

[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="rundll32.exe ieframe.dll,OpenURL %l"

then maybe it's a bug in the way the "URL=" value, in what is just an INI file by another name, is read and interpreted?

When changed from ftp:// to http:// in the URL= line, but leaving everything else the same, I don't get the same ZoneAlarm notification.

This is puzzling.  I think the next step will be to try and find out what data is passed when I allow what ZoneAlarm has blocked.  Nothing seems to happen visually and it then just shows the Save As or Open dialogs and I can continue normally.  It doesn't try to launch the default browser or anything.

When changed from ftp:// to http:// in the URL= line, but leaving everything else the same, I don't get the same ZoneAlarm notification.

What did I say?  Go into Folder Option under File Types and see what is there.  On my computer there is an 'open' but no assigned program.

Yes, sorry Dave.  I meant to respond to that.  Although I use Firefox as my main browser, I have not set it as the default browser.  The same was true with chrome when I was using that all the time until recently.  I've just got into the habit of copying/pasting with the right mouse button, and keep forgetting to set FF as the default.

I see by the icons in your screenshot that Firefox is your default.

With IE still set as default, I still have the standard command for the "open" action under the "URL: File Transfer Protocol" file type.I will back up the registry key and remove the association, and post back later with the results.

I don't have anything on the 'DDE' lines and the bottom line says System.

I deleted the "open" action using the dialog shown in the previous comment, confirmed that the "open" registry key had been deleted under:
[HKEY_CLASSES_ROOT\ftp\shell]
and rebooted, but the same issue persists.

I reinstated the key from a backup, deleted the DDE key in Regedit, and changed the associated program to Notepad.  I still get a prompt from ZoneAlarm.

Now I'm puzzled.

I have just completely denied Paint Shop Pro 7 in ZoneAlarm meantime.

Maybe this is a Zone Alarm problem instead?

I've considered that, but I really don't know how to tell.

This is quite an old version of the (free) ZoneAlarm that I kept going back to because I didn't like the more recent ones.  It's easy to use, easy to clean up logs and maintain, and the popups are how I like them.  I don't really use it for anything other than a "new program blocker", some very basic filtering of traffic, and as an "internet lock" when the screensaver kicks in.  It's not really a full firewall by any means, but has been quite handy for the odd malicious or annoying process here and there.  I have other filtering in my DSL "gateway" modem, and have real-time antivirus protection, and together it's all reasonably safe.  I have never had an issue like this before, but then again I can't recall having done a "Save As" to a folder containing an FTP protocol *.URL file, because I would tend to save them to my favorites.

I think I'm going to install a packet sniffer like WireShark and see if any data is sent out when I allow PsP the access.

Ooh, this is lovely, CSS massive failure on Friday!  Wonder how long this will last.

Let me know what Wireshark says.

I wondered why the "icons" above the comments box and other page elements had become more basic in appearance.  Web designers tinkering again?

When I deleted this key:
[HKEY_CLASSES_ROOT\ftp\shell\open]
the next time I started IE it told me that it wasn't the default browser.  In an effort to keep it as the default until I have finished trying to find out what is happening here, I set it as default and the original contents of the above key were recreated.

I'm not sure if I will be able to figure out what WireShark tells me, but I will try later.

>> I wondered why the "icons" above the comments box

Oh good!  It's not just me then.   phew!

Yes, they're tinkering again still.  Not that they're going to do anything we've asked them to do but they do stay busy.

I actually like the rather sparse layout.  Kind of minimalist, but still far too stretched out than it needs to be.  It should be taken back to the "old look" before the previous pastel-shaded wonder of a site, where comments and listings were prominent and closely laid out so you didn't have to scroll constantly.  I would have thought that type of layout would have been more suited to small mobile screens that all the elements stretched out further than my ex-wife's knees.

Anyway, I ran SysInternals Process Monitor at the same time as I had WireShark running and committed to allowing the ZoneAlarm prompt for Paint Shop Pro to connect to the Internet.  It took a bit of fast Alt-Tabbing and clicking to get it done.

In the Process Monitor results I could clearly see that the files in the folder that I wanted to do a "File > Save As" were being listed and inspected, and that the process found the file which is currently named "Music.url".

It immediately began to query FTP-related registry keys for values, and in so doing I could see that it was looking for programs associated with the FTP protocol.  It cross-referenced "ieframe.dll" (the main resource for IE) a number of times and also "msieftp.dll".  I believe "msieftp" was what provided Windows Explorer with the resources to present the contents of FTP sites with drag and drop functionality as though you were working locally. I think this is "passive FTP".  I say "provided", because I haven't seen this behaviour since IE6 in Windows 98.

I saw successful outbound UDP traffic from:
<MyComputername>:1667 to 192.168.0.1:domain
and an inbound one from and to the same.

UDP Port 1667 apparently relates to netview-aix-7, whatever that may be.
192.168.0.1 is my modem's internal IP address.

In case you are wondering, I have a Dynamically Assigned IP Address for my Internet connection, and I immediately logged out and back in again to change my IP after I did this.  I used my other XP computer that I would be prepared to wipe if something backfired, and I made sure that there were no drives with any important or sensitive data on.

To be honest, I am a bit worried about what was transmitted and whether or not it was received, and in what format.  I looked briefly back to the "ftp://yyy.yyy.yyy.yy/~mp3_MUSIC/" folder to see if any junk files had actually been uploaded, but I couldn't see any new files.  The activity was more than likely logged, and I am not keen on a Russian Maffia seeking me out.  Generally I don't like tinkering with this type of thing, but curiosity got the better of me.

I have attached the WireShark results in various formats, but I am not sure if it is possible to actually convert and save out the packet data intercepted by the program into the format that was originally transmitted.

Any idea if that is possible to do?

Packets-Full.doc  Packets-Full.txt  Packet-Summary.csv  Packet-Summary.xls
Oh my God, look at the state of these "Upload" and "Submit" buttons.  Screaming orange with fuzzy thin white text.  I wonder if the site complies with Disability Discrimination recommendations?

Why the hell do we need a football field around each of the embedded attachments?

It appears that the "195.xx.xx.xx" block is European servers and I did see the 'ru' email address in the file.  Other than curiosity, why are you keeping this on your desktop?

Yes, a Russian site with a bunch of MP3s and such, but it also had a couple of less common file types that I was looking for to examine in connection with another question.  After poking around in it for a while I happened upon a folder with content by Al Di Meola and BB King, and that's why the shortcut has that path in it.  That's not the folder where I found the files I was looking for.  I actually forgot that I had dumped it on my Desktop until I started noticing this odd behaviour with all kinds of programs and started scanning for viruses.  It's now in my C: Drive after moving it around all over the place between drives and folders to verify that I wasn't imagining things.  At the time it was on my desktop, where it's so cluttered it's easy to forget that I had saved something no longer needed.

posted in the wrong Q. comment removed.

It's confusing having several browser tabs open at one time and they all end in Q_xxxxxxxx.html#ayyyyyyyy ;-)

In Wireshark:
Right-click on one of the UDP packets > Follow UDP Stream > Filter out unwanted streams > Save As raw data.
Use a hex editor to remove unwanted data or use a forensic tool to get recognisable data out of it, and save out as a file matching the file header acronym, such as JFIF for a JPG file.

I think I know what data was transferred.  Apart from the usual requests and responses the only data that seems to have been transferred was a full Linux/Unix format directory listing back to me from the Server in response to a "LIST" command sent by me.  There are no file headers or other recognisable binary files in the data from me to the Server.

dr-xr-xr-x   1 user     group           0 Feb 27 08:24 .
drwxrwxrwx   1 user     group           0 Nov 04  2012 ..
drwxrwxrwx   1 user     group           0 Feb 22 06:57 ~mp3_MUSIC-2010~
drwxrwxrwx   1 user     group           0 Dec 31  2012 ~mp3_MUSIC-2011~
drwxrwxrwx   1 user     group           0 Jul 10 05:39 ~mp3_MUSIC-2012~
drwxrwxrwx   1 user     group           0 Sep 20 07:34 ~mp3_MUSIC-2013~
drwxrwxrwx   1 user     group           0 Oct 21  2012 Age, New Age, Celtic
drwxrwxrwx   1 user     group           0 Nov 24  2012 Classical, Classical crossover, Neoclassical
-rw-rw-rw-   1 user     group         106 Dec 05  2010 desktop.ini
drwxrwxrwx   1 user     group           0 Oct 11  2012 Dub & Reggae
drwxrwxrwx   1 user     group           0 Oct 11  2012 Grand Collection
drwxrwxrwx   1 user     group           0 Dec 24  2012 Greatest Hits, The Best Of Greatest Hits
drwxrwxrwx   1 user     group           0 Jun 18 07:49 Instrumental, Romantic, Atmospheric Egyptian, Folk Ambient
drwxrwxrwx   1 user     group           0 Feb 14 09:36 Jazz, Blues, Soul, Funk, Acid jazz, NuJazz, Future Jazz
drwxrwxrwx   1 user     group           0 Nov 03  2012 Musical Rock Opera
drwxrwxrwx   1 user     group           0 Sep 15 05:30 Pop Dance Electronic
drwxrwxrwx   1 user     group           0 Feb 08 05:08 Pump
drwxrwxrwx   1 user     group           0 Jul 26 00:07 Rock,Gothic, Metal. Alternative
drwxrwxrwx   1 user     group           0 Jan 02 07:56 Tribute
drwxrwxrwx   1 user     group           0 Sep 12 12:49 USSR & Russian Collection

Select allOpen in new window

 Still a puzzle WHY a *.URL file should be able to make a program log into an FTP site and ask for a directory listing.

WHY a *.URL file should be able to make a program log into an FTP site and ask for a directory listing.

That would be the default action for an FTP URL in a browser.

And FTP should be TCP, not UDP.

Yes, but the action of simply browsing to a folder in the "Save As" and "Open" dialogs (really just Windows Explorer) should not be able to actually "run" a file, regardless of the extension.  It isn't launching Internet Explorer, although I'm fully aware that a lot of activity can take place without a GUI.

Whoops, yes, my mistake.  In Wireshark it is Right-Click > Follow TCP Stream.  The UDP traffic was just communication between Ethernet and Modem and I was thinking about that when I typed the comment.

I GOT IT !!

2 simple tick-boxes in Internet Options > Advanced tab.
"Enable FTP Folder View (outside Internet Explorer"
"Use Passive FTP (for firewall and DSL modem compatibility)"
  Relevant Registry Setting (values yes or no):

[HKEY_CURRENT_USER\Software\Microsoft\FTP]
"Use PASV"="yes"
"Use Web Based FTP"="yes"

I've been going over and over your statement "An 'FTP' link can be opened by Windows Explorer" in my mind trying to remember when I last saw an FTP site being shown in Windows Explorer.  It must have been way back when I used IE6 in Windows 98se when I first started evening classes at college and was using the MS FTP sites a lot for DOS and MASM resources.

I can't remember ever accessing an FTP site in Windows Explorer view in Win2000 or XP, and I can't believe that I forgot about those tick-boxes in Internet Options, despite the Advanced tab being one of the first things I look through when configuring someone's computer or setting up one for myself.

What led me to it was that I kept looking back at the Resource Monitor activity where it called "msieftp.dll" shortly after accessing the files in the same folder as the troublesome *.URL file and looking up FTP file associations in the registry.

On inspecting "msieftp.dll" I see that it is an old IE6 XP file that has remained untouched by SP2, SP3, and IE7 and 8.  Amongst the resources I found this in the embedded *.INF setup file:  

; Give users the options of using the OLD FTP UI
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","RegPath",,"Software\Microsoft\Ftp"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","Text",,"%DESC_USENEWUI%"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","Type",,"checkbox"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","CheckedValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","UncheckedValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","ValueName",,"Use Web Based FTP"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","DefaultValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","HKeyRoot",65537,0x80000001
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","HelpID",,"iexplore.hlp#50560"

; Mill #120818: FTP either uses PORT or PASV but only one.  We are guaranteed that some
; users will have firewalls, switches, or routers that will be incompatible in one of the
; methods and support the other.  Since there isn't any way for us to take care of this
; automatically, we need to give the user the option to choose.  We default to PORT
; since that is the most compatible (MS Proxy, and others).  The user can use the
; Advanced Tab of the Internet Control Panel to switch.  PASV will work on US West
; DSL modems for example.
; Give users the options of using PASV
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","RegPath",,"Software\Microsoft\Ftp"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","Text",,"%DESC_USEPASV%"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","Type",,"checkbox"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","CheckedValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","UncheckedValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","ValueName",,"Use PASV"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","DefaultValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","HKeyRoot",65537,0x80000001
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","HelpID",,"iexplore.hlp#50588"

Select allOpen in new window

So, thanks for keeping me sane and focused on the Windows Explorer aspect.

This was the comment that made me look back again at the file which allows Windows to show an FTP site as though it was right there in Windows Explorer rather than having to open it in Internet Explorer.

Thanks, I can see the reason I never encountered that problem is because I have never saved an 'FTP' link like that because I have always had 'folder view' checked.  I do still have one FTP link in Windows Explorer that actually works to connect to a remote server.  But it is probably the only client link I have that will work with Microsoft FTP.  Most others require SFTP or something else more sophisticated.