Link to home
Create AccountLog in
Avatar of Evan Li
Evan LiFlag for United States of America

asked on

how not to pass environment to child process by using ShellExecute or ShellExecuteEx

Hi, experts
I have a question here, I was asked to do but I could not make it:

We are launching default browser using ShellExecute, when using url, with "open" verb, it automatically launch default browser.

Here is the problem for us:
It brings the environment from launching process. Which will causing some problems for the browser.

I have provided following solutions, which are all rejected by the code reviewer:

1>Set back to system environment before we call shellexecute, and then call set environment to restore the environment variables.
2>Using CMD, by using the command "cmd /c <set environments>&&start "link" "",

1> rejected is because it can disturb calling process, 2>Rejected because it need another process.

We do not wanted to call createprocess, because that make things too complicated. So the question is

Anyone knows if there is a solutions to launch a process without inherit environments from parent process? Other than the way that I can think of.

Thank you for any help.

Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

If you want, in essence, a null environment (as opposed to setting the inheretence flag to null, which causes the launched process to inherit the parent's environment) simply create a "simple" environment and launch the process.

The mechanics of this are circuitously described in this link from Microsoft's MSDN site.

lpEnvironment [in, optional]
A pointer to the environment block for the new process. If this parameter is NULL, the new process uses the environment of the calling process.
An environment block consists of a null-terminated block of null-terminated strings. Each string is in the following form:
Because the equal sign is used as a separator, it must not be used in the name of an environment variable.
An environment block can contain either Unicode or ANSI characters. If the environment block pointed to by lpEnvironment contains Unicode characters, be sure that dwCreationFlags includes CREATE_UNICODE_ENVIRONMENT. If this parameter is NULL and the environment block of the parent process contains Unicode characters, you must also ensure that dwCreationFlags includes CREATE_UNICODE_ENVIRONMENT.
The ANSI version of this function, CreateProcessA fails if the total size of the environment block for the process exceeds 32,767 characters.
Note that an ANSI environment block is terminated by two zero bytes: one for the last string, one more to terminate the block. A Unicode environment block is terminated by four zero bytes: two for the last string, two more to terminate the block.
Avatar of Evan Li


Thank you for your answer, I knew createprocess can do that. But it does not launch default browser like shellexecute. Is there a verb, we can use for it to launch a default browser?

start /c "link" ""

can do that but we need CMD.exe

, the worry about cmd is that it could run a script automatically. I am not sure if it is a reasonable worry though.
Rather than risk an exploitation, would it not be prudent to read the registry, determine what the specified default browser's full pathname is and execute the browser and pass it the URL?
Avatar of Evan Li


Different browser way you have use different parameter to launch URL, we do not know the new browser what format to launch URL, so this way was not approved. We need a smarter way to do this. Thanks.
The appropriate method of determining how a HTTP or HTTPS document is handled is to open HKey Classes Root and look at the Open value of the Shell subkey in the http and https keys.  If this value is blank or null, then you open these document types with no parameters in the default browser.  If these values are not null or empty, then they contain parameters needed to open and render the page.
Avatar of Evan Li


By changing the default browser this registry does not change, I have attached the reg file from my windows 10 machine. Does not look like the right that it reflect default browser registry
Look at the Default value in
  HKey Current User\Software\Clients\StartMenu\Internet.

This will tell you the name of the default browser for the current user.

Then, look at the Default value in
  HKey Current User\Software\Classes\http\shell\open\command
  HKey Current User\Software\Classes\https\shell\open\command

The User settings always override the system settings which is why Group Policy for browsers is set at the User level.
Avatar of Evan Li


HKey Current User\Software\Classes\http\shell\open\command
   HKey Current User\Software\Classes\https\shell\open\command
When I change the default browser, the value here not in sync at all.
I found it one time but it was only progid. Not in this registry though
To determine current default browser, look in the following registry location:


Open in new window

That will tell you the designation of the correct default browser 100% of the time.

The defined Default value there is a pointer to the entry in HKEY_CLASSES_ROOT

And the command for performing the open action will be in


Open in new window

in the (Default) value, where xxxxxxxxxx is the browser designation found in the above key.
And here is a VBScript to determine what the default browser is based on the value in the above-specified key.

wscript.echo browser 
Function Browser 
    Const HKEY_CURRENT_USER = &H80000001 
    Const strKeyPath = "Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice" 
    Const strValueName = "Progid" 
    Dim strValue, objRegistry, i 
' Browser list: 
    Dim blist(13,1) 
    blist(0,0) = "Internet Explorer"    : blist(0,1) = "ie"
    blist(8,0) = "Internet Explorer"    : blist(8,1) = "IE.HTTP"
    blist(11,0) = "Internet Explorer"    : blist(11,1) = "IE.AssocFile.HTM"
    blist(12,0) = "Internet Explorer"    : blist(12,1) = "IE.FTP"
    blist(13,0) = "Internet Explorer"    : blist(13,1) = "IE.HTTPS"
    blist(1,0) = "Edge"                    : blist(1,1) = "appxq0fevzme2pys62n3e0fbqa7peapykr8v" 
    blist(2,0) = "Firefox"                : blist(2,1) = "firefox" 
    blist(9,0) = "Firefox"                : blist(9,1) = "FirefoxURL"
    blist(10,0) = "Firefox"                : blist(10,1) = "FirefoxHTML"
    blist(3,0) = "Chrome"                : blist(3,1) = "chrome" 
    blist(4,0) = "Chrome"                : blist(3,1) = "ChromeHTML" 
    blist(5,0) = "Safari"                : blist(5,1) = "safari" 
    blist(6,0) = "Avant"                : blist(6,1) = "browserexeurl" 
    blist(7,0) = "Opera"                : blist(7,1) = "opera" 
    Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv") 
    objRegistry.GetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue 
    If IsNull(strValue) Then 
        browser = "Internet Explorer (Windows standard)": Exit Function 
        For i = 0 To Ubound (blist, 1) 
            If Instr (1, strValue, blist(i,1), vbTextCompare) Then
            	Browser = blist(i,0) & " - User choice"
            	strBrowserPath = strValue
            	strBrowserPath = strBrowserPath & "\shell\open\command"
            	objRegistry.GetStringValue HKEY_CLASSES_ROOT,strBrowserPath,"",strValue
            	Browser = Browser & vbCrLf & "Browser command is: " & strValue
            	Exit Function 
            End If
    End If 
    browser = "Unknown web browser! (signature: '" & strValue & "')" 
End Function

Open in new window

I have tested this on Windows 7 Enterprise, Windows 7 Professional, Windows 10 Enterprise, and Windows 10 Pro.
Avatar of Evan Li


Thank you a lot. You are right about this in Windows 10. But it is not working for Windows 7 pro.


there are only 2 keys:

So there is no way I can for the path that you have given. I am not sure how you can do it for windows 7?


I am looking at 5 different Windows 7 Pro machines right now, and every one of them has the Associations key in Shell.

Tell me more about your Windows 7 Pro installation - is it a fresh install?  Is it using GPO's to set default registry?

Tell me what your goal is - because I can pretty much guarantee you that every FinTech software out there either uses a ShellExec method to launch the browser or specifies which browser and version of said browser they support.

ShellExec cannot launch an unauthorised application if you specify the full path.  In the case of a URL, the system decides which browser to use based on the registry entries outlined in the script I provided unless the user has never changed the default browser, in which case it will look to the HKCR/HTTP or HKCR/HTTPS keys.
Avatar of Evan Li


I have attached the images of the windows 7 version and what windows registry look like. I do not know how do you have extra info.
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Evan Li


After I setup Chrome. And I setup chrome to be my default browser, I see the registry. Thank you.
Avatar of Evan Li


Close this question, as I know the solution now. Thanks.