FTP Shortcut (*.URL File) Tries To Connect When File Saved To Containing Folder

Hello fellow experts.

Windows XP SP3.

This isn't about how to fix an issue, is is about why the issue occurs.

A while ago I was doing a custom google search for some unusual file types somewhere out there on peoples' servers so I could analyse one to try and answer somebody's question, and I found a few on the "Index Of" page of an FTP Server.  I dragged a shortcut from the browser address bar to my desktop so I could return to that site later.

I've changed the IP Address, but the remainder of the path is unchanged.  Here's the code in the *.URL file.  All pretty standard, except perhaps the ~ symbol and the number of spaces in the names that have been replaced by the %20:


Open in new window

Since then, whenever I do a "Save As" or "Open" from an application and browse to the Desktop, or if the desktop has already been remembered by the last "Save" or "Open", this triggers ZoneAlarm with an outgoing connection request to that FTP site via Port 21.
Just one of the examples (IP altered)
Here's an example from the ZoneAlarm log:
Description      Paint Shop Pro 7 requested permission to access the internet.
Rating           High
Date / Time      2013-09-19 22:37:22+1:00
Type             Repeat Program
Program          C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
Source IP        
Destination IP   123.456.789.00:21
Direction        Outgoing (connect)
Action Taken     Blocked (once)/Auto
Count            1
Source DNS       
Destination DNS  
Policy           Personal Policy

Open in new window

I haven't yet "allowed" this through ZoneAlarm, but neither have I "denied" it and remembered that setting, because I've been messing with the file to see what exactly is in that URL which should cause the program that is saving or opening a file to/from the same folder as the *.URL to try and run it as a command.

I've lost track a little bit with what portions I have removed from the url and retested the application, because it involves closing and reopening the same application for each test after editing the shortcut target.  I haven't exhaustively tested all applications either, because some I had already blocked from accessing the Internet with the "remember setting" in ZoneAlarm.

I have moved the file to a FAT32 drive and then back again to NTFS to remove any Alternate Data Streams from it if any existed.  I also tested it with SysInternals streams.exe which tells me that there are no ADStreams.

What I have discovered is that if I move the *.URL file to the root of the C: Drive (NTFS) or my 2nd internal drive (E: FAT32), I get the same ZoneAlarm interception.  It also happens if I move it into folders thereof, but I haven't yet tested beyond one folder depth.

This DOES NOT happen with *.URL files where the protocol is HTTP:// or FILE://
I haven't tested with any other protocols.

Has anybody seen this behaviour before, or does anybody know why a *.URL file with the FTP Protocol (and possibly the ~ and %20 characters in it) should somehow be instructing an application to access that site?

LVL 39
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
The ~ designates a users home directory on a Linux server and %20 characters represent spaces in a correctly URL-encoded query string or link.  The comma-delimited format of the directory name is very unusual.  When you refresh your desktop, Windows Explorer goes thru the links and requests an icon for that link from the program that is apparently assigned to that extention.  HTTP:// will be handled by the default web browser and FILE:// might also.  I'm not sure why Paint Shop Pro 7 (do you have my computer?) would be the assigned program for FTP://.
BillDLAuthor Commented:
Thanks dave

That's a good point about Windows Explorer going through all the links looking for an icon to display.

The default icon, on a Windows XP system with IE8 as default browser, is the blue "e" icon resource in "C:\WINDOWS\system32\url.dll".  This is set in the registry key:
fetched from the registry key:

So, unless the target website has been visited and has downloaded and cached a "favicon", this does not have to be set against the "IconIndex=" and  "IconFile=" lines of the URL file.

An FTP site won't normally have a favicon to download and cache.

When I use the URL file's Properties dialog and change the icon to a locally stored *.ico file, I still get the notification.  The same is true if I use the IconFile and IconIndex values in the URL file's code to set this.

I did find a very old question of mine about IE7 Favorites, but it didn't hold any clues.

While it is generally accepted that "The Desktop" is just another folder with special attributes, I think that Windows Explorer calls "ieframe.dll" to read the values in *.URL files.  Given that Internet Explorer 8 is really ieframe.dll:

@="rundll32.exe ieframe.dll,OpenURL %l"

then maybe it's a bug in the way the "URL=" value, in what is just an INI file by another name, is read and interpreted?

When changed from ftp:// to http:// in the URL= line, but leaving everything else the same, I don't get the same ZoneAlarm notification.

This is puzzling.  I think the next step will be to try and find out what data is passed when I allow what ZoneAlarm has blocked.  Nothing seems to happen visually and it then just shows the Save As or Open dialogs and I can continue normally.  It doesn't try to launch the default browser or anything.
Dave BaldwinFixer of ProblemsCommented:
When changed from ftp:// to http:// in the URL= line, but leaving everything else the same, I don't get the same ZoneAlarm notification.

What did I say?  Go into Folder Option under File Types and see what is there.  On my computer there is an 'open' but no assigned program.
Folder Options
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

BillDLAuthor Commented:
Yes, sorry Dave.  I meant to respond to that.  Although I use Firefox as my main browser, I have not set it as the default browser.  The same was true with chrome when I was using that all the time until recently.  I've just got into the habit of copying/pasting with the right mouse button, and keep forgetting to set FF as the default.

I see by the icons in your screenshot that Firefox is your default.

With IE still set as default, I still have the standard command for the "open" action under the "URL: File Transfer Protocol" file type.All very standard as far as I can see.I will back up the registry key and remove the association, and post back later with the results.
Dave BaldwinFixer of ProblemsCommented:
I don't have anything on the 'DDE' lines and the bottom line says System.
BillDLAuthor Commented:
I deleted the "open" action using the dialog shown in the previous comment, confirmed that the "open" registry key had been deleted under:
and rebooted, but the same issue persists.

I reinstated the key from a backup, deleted the DDE key in Regedit, and changed the associated program to Notepad.  I still get a prompt from ZoneAlarm.

Now I'm puzzled.

I have just completely denied Paint Shop Pro 7 in ZoneAlarm meantime.
Dave BaldwinFixer of ProblemsCommented:
Maybe this is a Zone Alarm problem instead?
BillDLAuthor Commented:
I've considered that, but I really don't know how to tell.

This is quite an old version of the (free) ZoneAlarm that I kept going back to because I didn't like the more recent ones.  It's easy to use, easy to clean up logs and maintain, and the popups are how I like them.  I don't really use it for anything other than a "new program blocker", some very basic filtering of traffic, and as an "internet lock" when the screensaver kicks in.  It's not really a full firewall by any means, but has been quite handy for the odd malicious or annoying process here and there.  I have other filtering in my DSL "gateway" modem, and have real-time antivirus protection, and together it's all reasonably safe.  I have never had an issue like this before, but then again I can't recall having done a "Save As" to a folder containing an FTP protocol *.URL file, because I would tend to save them to my favorites.

I think I'm going to install a packet sniffer like WireShark and see if any data is sent out when I allow PsP the access.
Dave BaldwinFixer of ProblemsCommented:
Ooh, this is lovely, CSS massive failure on Friday!  Wonder how long this will last.

Let me know what Wireshark says.
BillDLAuthor Commented:
I wondered why the "icons" above the comments box and other page elements had become more basic in appearance.  Web designers tinkering again?

When I deleted this key:
the next time I started IE it told me that it wasn't the default browser.  In an effort to keep it as the default until I have finished trying to find out what is happening here, I set it as default and the original contents of the above key were recreated.

I'm not sure if I will be able to figure out what WireShark tells me, but I will try later.
>> I wondered why the "icons" above the comments box

Oh good!  It's not just me then.   phew!
Dave BaldwinFixer of ProblemsCommented:
Yes, they're tinkering again still.  Not that they're going to do anything we've asked them to do but they do stay busy.
BillDLAuthor Commented:
I actually like the rather sparse layout.  Kind of minimalist, but still far too stretched out than it needs to be.  It should be taken back to the "old look" before the previous pastel-shaded wonder of a site, where comments and listings were prominent and closely laid out so you didn't have to scroll constantly.  I would have thought that type of layout would have been more suited to small mobile screens that all the elements stretched out further than my ex-wife's knees.

Anyway, I ran SysInternals Process Monitor at the same time as I had WireShark running and committed to allowing the ZoneAlarm prompt for Paint Shop Pro to connect to the Internet.  It took a bit of fast Alt-Tabbing and clicking to get it done.

In the Process Monitor results I could clearly see that the files in the folder that I wanted to do a "File > Save As" were being listed and inspected, and that the process found the file which is currently named "Music.url".

It immediately began to query FTP-related registry keys for values, and in so doing I could see that it was looking for programs associated with the FTP protocol.  It cross-referenced "ieframe.dll" (the main resource for IE) a number of times and also "msieftp.dll".  I believe "msieftp" was what provided Windows Explorer with the resources to present the contents of FTP sites with drag and drop functionality as though you were working locally. I think this is "passive FTP".  I say "provided", because I haven't seen this behaviour since IE6 in Windows 98.

I saw successful outbound UDP traffic from:
<MyComputername>:1667 to
and an inbound one from and to the same.

UDP Port 1667 apparently relates to netview-aix-7, whatever that may be. is my modem's internal IP address.

In case you are wondering, I have a Dynamically Assigned IP Address for my Internet connection, and I immediately logged out and back in again to change my IP after I did this.  I used my other XP computer that I would be prepared to wipe if something backfired, and I made sure that there were no drives with any important or sensitive data on.

To be honest, I am a bit worried about what was transmitted and whether or not it was received, and in what format.  I looked briefly back to the "ftp://yyy.yyy.yyy.yy/~mp3_MUSIC/" folder to see if any junk files had actually been uploaded, but I couldn't see any new files.  The activity was more than likely logged, and I am not keen on a Russian Maffia seeking me out.  Generally I don't like tinkering with this type of thing, but curiosity got the better of me.

I have attached the WireShark results in various formats, but I am not sure if it is possible to actually convert and save out the packet data intercepted by the program into the format that was originally transmitted.

Any idea if that is possible to do?

Packets-Full.doc  Packets-Full.txt  Packet-Summary.csv  Packet-Summary.xls
Oh my God, look at the state of these "Upload" and "Submit" buttons.  Screaming orange with fuzzy thin white text.  I wonder if the site complies with Disability Discrimination recommendations?

Why the hell do we need a football field around each of the embedded attachments?
Dave BaldwinFixer of ProblemsCommented:
It appears that the "195.xx.xx.xx" block is European servers and I did see the 'ru' email address in the file.  Other than curiosity, why are you keeping this on your desktop?
BillDLAuthor Commented:
Yes, a Russian site with a bunch of MP3s and such, but it also had a couple of less common file types that I was looking for to examine in connection with another question.  After poking around in it for a while I happened upon a folder with content by Al Di Meola and BB King, and that's why the shortcut has that path in it.  That's not the folder where I found the files I was looking for.  I actually forgot that I had dumped it on my Desktop until I started noticing this odd behaviour with all kinds of programs and started scanning for viruses.  It's now in my C: Drive after moving it around all over the place between drives and folders to verify that I wasn't imagining things.  At the time it was on my desktop, where it's so cluttered it's easy to forget that I had saved something no longer needed.
posted in the wrong Q. comment removed.
BillDLAuthor Commented:
It's confusing having several browser tabs open at one time and they all end in Q_xxxxxxxx.html#ayyyyyyyy ;-)
BillDLAuthor Commented:
In Wireshark:
Right-click on one of the UDP packets > Follow UDP Stream > Filter out unwanted streams > Save As raw data.
Use a hex editor to remove unwanted data or use a forensic tool to get recognisable data out of it, and save out as a file matching the file header acronym, such as JFIF for a JPG file.

I think I know what data was transferred.  Apart from the usual requests and responses the only data that seems to have been transferred was a full Linux/Unix format directory listing back to me from the Server in response to a "LIST" command sent by me.  There are no file headers or other recognisable binary files in the data from me to the Server.
dr-xr-xr-x   1 user     group           0 Feb 27 08:24 .
drwxrwxrwx   1 user     group           0 Nov 04  2012 ..
drwxrwxrwx   1 user     group           0 Feb 22 06:57 ~mp3_MUSIC-2010~
drwxrwxrwx   1 user     group           0 Dec 31  2012 ~mp3_MUSIC-2011~
drwxrwxrwx   1 user     group           0 Jul 10 05:39 ~mp3_MUSIC-2012~
drwxrwxrwx   1 user     group           0 Sep 20 07:34 ~mp3_MUSIC-2013~
drwxrwxrwx   1 user     group           0 Oct 21  2012 Age, New Age, Celtic
drwxrwxrwx   1 user     group           0 Nov 24  2012 Classical, Classical crossover, Neoclassical
-rw-rw-rw-   1 user     group         106 Dec 05  2010 desktop.ini
drwxrwxrwx   1 user     group           0 Oct 11  2012 Dub & Reggae
drwxrwxrwx   1 user     group           0 Oct 11  2012 Grand Collection
drwxrwxrwx   1 user     group           0 Dec 24  2012 Greatest Hits, The Best Of Greatest Hits
drwxrwxrwx   1 user     group           0 Jun 18 07:49 Instrumental, Romantic, Atmospheric Egyptian, Folk Ambient
drwxrwxrwx   1 user     group           0 Feb 14 09:36 Jazz, Blues, Soul, Funk, Acid jazz, NuJazz, Future Jazz
drwxrwxrwx   1 user     group           0 Nov 03  2012 Musical Rock Opera
drwxrwxrwx   1 user     group           0 Sep 15 05:30 Pop Dance Electronic
drwxrwxrwx   1 user     group           0 Feb 08 05:08 Pump
drwxrwxrwx   1 user     group           0 Jul 26 00:07 Rock,Gothic, Metal. Alternative
drwxrwxrwx   1 user     group           0 Jan 02 07:56 Tribute
drwxrwxrwx   1 user     group           0 Sep 12 12:49 USSR & Russian Collection

Open in new window

 Still a puzzle WHY a *.URL file should be able to make a program log into an FTP site and ask for a directory listing.
Dave BaldwinFixer of ProblemsCommented:
WHY a *.URL file should be able to make a program log into an FTP site and ask for a directory listing.
That would be the default action for an FTP URL in a browser.

And FTP should be TCP, not UDP.
BillDLAuthor Commented:
Yes, but the action of simply browsing to a folder in the "Save As" and "Open" dialogs (really just Windows Explorer) should not be able to actually "run" a file, regardless of the extension.  It isn't launching Internet Explorer, although I'm fully aware that a lot of activity can take place without a GUI.

Whoops, yes, my mistake.  In Wireshark it is Right-Click > Follow TCP Stream.  The UDP traffic was just communication between Ethernet and Modem and I was thinking about that when I typed the comment.
Dave BaldwinFixer of ProblemsCommented:
should not be able to actually "run" a file
That of course isn't completely true.  While it may not 'run' it, Windows Explorer does open the file to get the icon and other file information.  An 'FTP' link can be opened by Windows Explorer and it might be trying to get info from the file.  But I don't know for sure.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BillDLAuthor Commented:


2 simple tick-boxes in Internet Options > Advanced tab.
"Enable FTP Folder View (outside Internet Explorer"
"Use Passive FTP (for firewall and DSL modem compatibility)"
Unchecked prevents the behaviour   I think the "folder view" FTP needs PSV modeRelevant Registry Setting (values yes or no):

"Use PASV"="yes"
"Use Web Based FTP"="yes"

I've been going over and over your statement "An 'FTP' link can be opened by Windows Explorer" in my mind trying to remember when I last saw an FTP site being shown in Windows Explorer.  It must have been way back when I used IE6 in Windows 98se when I first started evening classes at college and was using the MS FTP sites a lot for DOS and MASM resources.

I can't remember ever accessing an FTP site in Windows Explorer view in Win2000 or XP, and I can't believe that I forgot about those tick-boxes in Internet Options, despite the Advanced tab being one of the first things I look through when configuring someone's computer or setting up one for myself.

What led me to it was that I kept looking back at the Resource Monitor activity where it called "msieftp.dll" shortly after accessing the files in the same folder as the troublesome *.URL file and looking up FTP file associations in the registry.

On inspecting "msieftp.dll" I see that it is an old IE6 XP file that has remained untouched by SP2, SP3, and IE7 and 8.  Amongst the resources I found this in the embedded *.INF setup file:  
; Give users the options of using the OLD FTP UI
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","RegPath",,"Software\Microsoft\Ftp"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","Text",,"%DESC_USENEWUI%"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","Type",,"checkbox"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","CheckedValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","UncheckedValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","ValueName",,"Use Web Based FTP"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","DefaultValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","HKeyRoot",65537,0x80000001
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI","HelpID",,"iexplore.hlp#50560"

; Mill #120818: FTP either uses PORT or PASV but only one.  We are guaranteed that some
; users will have firewalls, switches, or routers that will be incompatible in one of the
; methods and support the other.  Since there isn't any way for us to take care of this
; automatically, we need to give the user the option to choose.  We default to PORT
; since that is the most compatible (MS Proxy, and others).  The user can use the
; Advanced Tab of the Internet Control Panel to switch.  PASV will work on US West
; DSL modems for example.
; Give users the options of using PASV
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","RegPath",,"Software\Microsoft\Ftp"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","Text",,"%DESC_USEPASV%"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","Type",,"checkbox"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","CheckedValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","UncheckedValue",,"no"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","ValueName",,"Use PASV"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","DefaultValue",,"yes"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","HKeyRoot",65537,0x80000001
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPPASV","HelpID",,"iexplore.hlp#50588"

Open in new window

So, thanks for keeping me sane and focused on the Windows Explorer aspect.
BillDLAuthor Commented:
This was the comment that made me look back again at the file which allows Windows to show an FTP site as though it was right there in Windows Explorer rather than having to open it in Internet Explorer.
Dave BaldwinFixer of ProblemsCommented:
Thanks, I can see the reason I never encountered that problem is because I have never saved an 'FTP' link like that because I have always had 'folder view' checked.  I do still have one FTP link in Windows Explorer that actually works to connect to a remote server.  But it is probably the only client link I have that will work with Microsoft FTP.  Most others require SFTP or something else more sophisticated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.