• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 185
  • Last Modified:

Change Registry From Internet Explorer Web Page HTML

Our company has an application that is launched from a browser.  It works fine in everything except XP SP2.

In XP SP2, the JAVA application starts and a status bar gets appended to the Window.  The status bar reports "App Inited()", which is all well and good.  The problem is that the status bar obscures active buttons required to do stuff in the application.

To remove the status bar, you have to configure IE to trust the website in "Trusted Sites".  It is a faff to get users to do this, or to talk them through it.  We would like to find a way to push a registry change that puts the site in their Trusted Sites section of the registry.  They would have to permit it, but it would do all the typing for them so they couldn't get it wrong.

Is there a way to push a registry change to a user from HTML browser code?
1 Solution
Are you serious?  Take a moment and look at what you're asking.  Wouldn't that represent an incredible security flaw - to have a browser that allows incoming HTML code to modify the Windows registry?

You could, of course, try to introduce a virus to do this and any users with inadequate protection would be vulnerable to it.  If I knew how to make such a virus (I don't), it would be against E-E rules to tell you how anyway.

If the registry changes were pushed over the LAN and not via HTTP this would be a normal IT management question.

May I post a non web solution?

If they are on your local LAN, you can force them to load a *.reg file with the appropriate key/value manually or by using a login script (preferred.)

If they are outside of the network, you can e-mail them the reg file (zipped) and have them double click the file.

Needles to say, you can't deliver a reg file via the web, it will get stripped.

stevehibbertAuthor Commented:
Right, sorry to ring alarm bells with this, one, the question is legitimate, though I know saying "Trust me" doesn't cut it.  We have a problem with XP SP2's increased security, IE has to be told to trust our website for the app to work, and getting users to enter the site in their Trusted Sites list is tedious and uses up support time.

I think the suggestion to use a reg file is good.  I'll set up a 'preparation' batch file that will do the required minor operations for the app to work, like tweak the registry, and then give our users links to the batch file (or post it on the web).  The batch file can be delivered by a Winzip self extracting exe and I can get that to trigger the batch file too.

I'm mindful that changing the registry is supposed to be impossible from a website, but I know that snide apps have managed to do it on my machine and I wondered if this was a commonly known method.
before getting into changing the registry you can get rid of the status bar with JavaScript:

<body onLoad="'page.html','test','toolbar=yes,location=yes,menubar=yes,scrollbars=yes,resizable=yes,width=300,height=300'">

in the third argument you could have status=yes added to the parameter list to allow the status bar.

I am not a windows man, however it is/was a trivial task to update the windows registry through viewing a website with Internet Explorer.  I don't know if this has been addressed in recent updates to the OS but it has been a "legitamate vulnerability" for years....

VBScript is allowed to access all of the win32 library, which includes procedures for altering the registry.  VBScript is client side when outside of a container such as the old ASP engine.  This means if you embed VBScript into any web page it is executed on the clients computer and can do what it could if the VBScript was put in a file on the users computer.....say the file is called myFile.vbs on the users disk and they run it, the exact same will happen if the script is passed through IE.  Your clients must use the IE browser in order for you to use VBScript to change the registry as no other browser supports it.  An old game people used to play was to open a clients CD drive when they visited a website with IE.

Unless Microsoft have cut back on the permissions that VBScript has then these still apply.

The clients anti-virii software will more than likely complain, and so it should, but since this is legit you can allow the script on each of the clients.


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now