What is SHTML.EXE?

Posted on 2003-03-23
Medium Priority
Last Modified: 2008-01-09
I have a small web server running W2K / IIS 5 and a client of mine is moving his web site from another hosting company to my server.  This client wants to use FrontPage extensions, which I do have installed and have configured for his virtual domain.

Problem is, he has some order forms that he created that no longer work now that his site is on our server.  Looking at one of his order forms, I find this tag:

<form method="POST" action="_vti_bin/shtml.exe/order_form2.htm" enctype="x-www-form-encoded" webbot-action="--WEBBOT-SELF--">

His order form fails to function on my server.  There is no "_vti_bin" folder to start with, not to mention the SHTML.EXE file does not exist either.

I don't like the idea of a client executing an EXE file on my server in the first place.   It would appear from the _vti_bin path that this may be a Microsoft EXE that he is trying to use.  What is SHTML.EXE, and where does it come from, and can it be trusted?

Question by:Kapusta
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 8191088
Indeed that is a Frontpage extension. There was a problem with that filemaking you vulnerable to a remote Denial of Service attack that disables all FrontPage operations on a web site.See: http://msdn.microsoft.com/workshop/languages/fp/2000/winfpse.asp

I do not use Frontpage extensions but that folder and files sound similar to your CGI-BIN and its files, so I would assume it should have been installed when you installed extensions. If not then you need to create that folder, map it as a virtual directory in IIS, and then place that file into it and your form will run.


Author Comment

ID: 8191141
If I use IIS's  Internet Services Manager, and open the "node" showing this user's virtual domain name, I can see a VIRTUAL _vti_bin folder pointing to the c:\ drive.   In that folder is a SHTML.DLL (not an .EXE).

I don't feel it is my responsibility to be debugging this client's web page, but at the same time, if access to this DLL is normal for using FrontPage extensions, then I don't have a problem with him accessing it.

Nonetheless, his current HTML does not work, and I have no idea what he needs to do to make it work.

Is the fact that he has coded SHTML.EXE (as opposed to SHTML.DLL) indicate that his previous web host was running IIS 4 instead of IIS 5?

Expert Comment

ID: 8191639
The permissions for that virtual directory need to allow executables, check and see what it is currently set for. However you should only do that as follows:

Normally you would have only ONE _vti_bin folder for your whole server (and it needs to have executables as permissions), and every domain that wants Frontpage extensions has it mapped to their account as a virtual directory. This folder is isolated and users cannot upload their own files into it. If they want an executable placed in there then they have to submit it to your first so you can check it for safety before you place it into that folder. That way every account on your server is using the same SHTML.EXE for example, and it is one you know to be safe. I would not grant executables permissions to any user on the server where he can upload an executable and they execute it at will all on his own.
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 8191685
>> The permissions for that virtual directory need to
>>allow executables, check and see what it is currently
>> set for.

The "Home Directory" properties for this user's virtual domain is set for:

X Scripte Source Access
X Read
X Log visits

Execute permissions = "Scripts and Executables"

>>every domain that wants Frontpage extensions has it
>> mapped to their account as a virtual directory.

This client's domain DOES have a virtual link to c:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB SERVER EXTENSIONS\40\_vti_bin

...in which I have a SHTML.EXE file.

This user's HTML order form, continues to fail,...displaying this as the error message result:

"The specified module could not be found."

To me, his "action" code seems invalid:


How can you append a HTM file at the end of a path that contains an EXE file?!  It seems invalid from a simple path standpoint.


Author Comment

ID: 8192683
Here's the culprit:

Microsoft FrontPage Server Extensions:
   http://www.americangasproducts.com - Error #160005 Message: Bad response from SMTP host'ns1': 550 not local host pacbell.net, not a gateway .

The email address that the form was sending to violates our security settings on our SMTP server (which is on the same machine as IIS).  Only email sent from accounts that exist on our server are permitted to relay mail through our server.

Accepted Solution

Computer101 earned 0 total points
ID: 12327105
PAQed, with points refunded (200)

E-E Admin

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question