Change Registry From Internet Explorer Web Page HTML

Posted on 2005-04-13
Last Modified: 2010-04-07

Our company has an application that is launched from a browser.  It works fine in everything except XP SP2.

In XP SP2, the JAVA application starts and a status bar gets appended to the Window.  The status bar reports "App Inited()", which is all well and good.  The problem is that the status bar obscures active buttons required to do stuff in the application.

To remove the status bar, you have to configure IE to trust the website in "Trusted Sites".  It is a faff to get users to do this, or to talk them through it.  We would like to find a way to push a registry change that puts the site in their Trusted Sites section of the registry.  They would have to permit it, but it would do all the typing for them so they couldn't get it wrong.

Is there a way to push a registry change to a user from HTML browser code?
Question by:stevehibbert
    LVL 33

    Expert Comment

    Are you serious?  Take a moment and look at what you're asking.  Wouldn't that represent an incredible security flaw - to have a browser that allows incoming HTML code to modify the Windows registry?

    You could, of course, try to introduce a virus to do this and any users with inadequate protection would be vulnerable to it.  If I knew how to make such a virus (I don't), it would be against E-E rules to tell you how anyway.
    LVL 29

    Expert Comment


    If the registry changes were pushed over the LAN and not via HTTP this would be a normal IT management question.

    May I post a non web solution?

    LVL 29

    Expert Comment

    If they are on your local LAN, you can force them to load a *.reg file with the appropriate key/value manually or by using a login script (preferred.)

    If they are outside of the network, you can e-mail them the reg file (zipped) and have them double click the file.

    Needles to say, you can't deliver a reg file via the web, it will get stripped.


    Author Comment

    Right, sorry to ring alarm bells with this, one, the question is legitimate, though I know saying "Trust me" doesn't cut it.  We have a problem with XP SP2's increased security, IE has to be told to trust our website for the app to work, and getting users to enter the site in their Trusted Sites list is tedious and uses up support time.

    I think the suggestion to use a reg file is good.  I'll set up a 'preparation' batch file that will do the required minor operations for the app to work, like tweak the registry, and then give our users links to the batch file (or post it on the web).  The batch file can be delivered by a Winzip self extracting exe and I can get that to trigger the batch file too.

    I'm mindful that changing the registry is supposed to be impossible from a website, but I know that snide apps have managed to do it on my machine and I wondered if this was a commonly known method.
    LVL 2

    Accepted Solution

    before getting into changing the registry you can get rid of the status bar with JavaScript:

    <body onLoad="'page.html','test','toolbar=yes,location=yes,menubar=yes,scrollbars=yes,resizable=yes,width=300,height=300'">

    in the third argument you could have status=yes added to the parameter list to allow the status bar.

    I am not a windows man, however it is/was a trivial task to update the windows registry through viewing a website with Internet Explorer.  I don't know if this has been addressed in recent updates to the OS but it has been a "legitamate vulnerability" for years....

    VBScript is allowed to access all of the win32 library, which includes procedures for altering the registry.  VBScript is client side when outside of a container such as the old ASP engine.  This means if you embed VBScript into any web page it is executed on the clients computer and can do what it could if the VBScript was put in a file on the users computer.....say the file is called myFile.vbs on the users disk and they run it, the exact same will happen if the script is passed through IE.  Your clients must use the IE browser in order for you to use VBScript to change the registry as no other browser supports it.  An old game people used to play was to open a clients CD drive when they visited a website with IE.

    Unless Microsoft have cut back on the permissions that VBScript has then these still apply.

    The clients anti-virii software will more than likely complain, and so it should, but since this is legit you can allow the script on each of the clients.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    This article provides a case study on how our local youth baseball league deployed a new website, including the platform selection, implementation and benefits to the league.
    Introduction In this tutorial, I'll explain how to create an animated progress meter in a wireframe prototype developed using Axure RP 7.0 - a leading prototyping tool for designing web sites and software. (For more information about Axure and gett…
    The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…
    The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now