5

I'm trying to set up a test application on Windows to launch via a "myapp://website.com"-style URI. Mostly, I'm basing myself off of tutorials like this:

http://msdn.microsoft.com/en-us/library/ie/aa767914(v=vs.85).aspx

While I got the initial setup working inside HKEY_CLASSES_ROOT, a new constraint is for the installation to happen without requiring administrator access. So, I deleted all changes in CLASSES_ROOT, and decided to retry the registry additions, instead using the HKEY_CURRENT_USER branch, at HKEY_CURRENT_USER/Software/Classes/myapp.

This appears to be detected by the browsers, and they display their confirmation dialog. However, they never actually run the app. Internet Explorer gives the most helpful error message, with a dialog saying "Unable to open this helper application for {uri}. The protocol specified in this address is not valid. Make sure the address is correct, and try again.

Is there some part of the registry I'm missing for a non-administrator setup? This is an export of my changes as a .reg. (Dashes censoring my username). EditFlags was added as a guess, but didn't work without it either.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\myapp]
"URL Protocol"=""
@="URL:David Protocol"
"EditFlags"=dword:02000000

[HKEY_CURRENT_USER\Software\Classes\myapp\DefaultIcon]
@="C:\\Users\\------\\AppData\\Roaming\\-----s Stuffs\\URISchemeTest.exe,1"

[HKEY_CURRENT_USER\Software\Classes\myapp\shell]

[HKEY_CURRENT_USER\Software\Classes\myapp\shell\open]

[HKEY_CURRENT_USER\Software\Classes\myapp\shell\open\command]
@="\"C:\\Users\\-------\\AppData\\Roaming\\------s Stuffs\\URISchemeText.exe\" \"%1\""
Katana314
  • 8,429
  • 2
  • 28
  • 36
  • What's EditFlags 02000000? I can't find it in here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb762506(v=vs.85).aspx shouldn't help anyway. – Simon Mourier May 05 '14 at 06:20
  • i think you forget to define the default action (open) : `[HKEY_CURRENT_USER\Software\Classes\mailto\shell] @="open"`. Could you try to move your exe to another folder too ? – Loïc MICHEL May 06 '14 at 09:12
  • I just checked the "shell" key for mailto on my side, and it doesn't have any values (ie, default="open"). I actually may have gotten this to work on occasion, and it might be to do with path issues, but I'm not certain. It also seems like any issues with the default icon prevent launch. @SimonMourier I think I had mistakenly written 02.. instead of ..20 by misreading a tutorial, but other way around did nothing either. – Katana314 May 06 '14 at 13:42
  • what happens if you type your uri from the "run" menu ? – Loïc MICHEL May 07 '14 at 17:29
  • I just tried this on Windows 7 without the EditFlags or the icon and it worked fine. What OS are you using? Have you got stale machine-wide settings (in `HKEY_CLASSES_ROOT`) clashing with your per-user settings? Have you tried running this under a new user account? Browsers might be caching some information about your new protocol. – arx May 07 '14 at 18:35
  • It actually seems like CLASSES_ROOT is a dynamic hive in which the URL protocol appears after you specify it in Software/Classes. So, the good news is, I have URL protocols working now. The bad news is, I actually don't know what, if anything, was changed to fix them, so I'm not sure if I can provide a conclusion for this question. @Kayasax The program runs correctly when run using the cmd string given in the registry value. – Katana314 May 08 '14 at 13:45
  • Cautionary tale, for some reason registering the https protocol scheme in HKCU\Software\Classes will break other custom protocols in some cases. I'm conducting research into why this is, as I have an internal business application using a custom protocol, however with the https key present, the protocol doesn't work in Lotus Notes. However Google Chrome only registers https in the HKCU hive if you click the "Set default" button Chrome pops up on startup when its not the default browser. – SomeInternetGuy Nov 11 '15 at 18:30

2 Answers2

2

Now that I have this working, I can't be perfectly certain of what it was that was causing problems, but I can at least give an account of what I tried to do differently in the hopes this helps future researchers.

%-sign directory accessors might not be supported by the path declaration. If they are, they may need to be encoded a certain way. Lower down In the article linked in the question, it mentions how Internet Explorer may decode certain URL parameters, but other browsers may not. Either way, if you've been specifying the command line as "%APPDATA%/MyProgram.exe", it may be more reliable starting from "C:/" until you can work through that issue.

EDIT: One other thing I just noticed, if the Paste from my question is correct: My working version of the registry changes set the default key of the root to "URI :David Protocol". Note "URI", not "URL". It's possible that mis-naming that (easy since another value is declared as "URL Protocol") could break the resulting effects.

While you might not have to specify a DefaultIcon, you may want to be careful that you're not referring to an invalid one. For safety, I set up mine to point specifically to a .ico file, rather than ".exe,1"

As some other commenters mentioned, I don't think EditFlags is really necessary, and might not be related.

A cautionary rebuttal to the highly-voted answer near this one, though: This. Works. No UAC access necessary. From the outset of my research, I personally would have believed an explanation that it's too risky to allow without a UAC admin prompt, etc. However, I took the time to test it, and could write a simple program with a button that sets itself up under HKCU/Software/Classes, and is accessible to the browser. I then tested it from the computer of a developer who had never taken part in any of my research (clean environment), and without any admin prompts, it worked fine. (Obviously, this program will only be accessible to the current user)

(For easy reading, a reminder: HKCU = HKEY_CURRENT_USER. HKCR = HKEY_CLASSES_ROOT. HKLM = HKEY_LOCAL_MACHINE)

Anything that could write to the user's HKCU registry already has non-admin binary access. Furthermore, all browsers will show a warning message about launching the program before opening it (perfectly understandable, given that it's local code). Several of them even give the full folder path of the executable you'll be launching.

I know the tutorial said to put the key in HKCR; and that this is known to come from HKLM/Software. However, it's worth reading up the whole story here:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724475(v=vs.85).aspx

This key is partially derived from the HKCU hive - and in fact, the user's settings will override the local machine settings. There is nothing specifically indicating that HKLM will override HKCU when displaying this type of key inside of HKCR.

Katana314
  • 8,429
  • 2
  • 28
  • 36
-1

You cannot ignore what the MSDN article tells you, registering the protocol handler in a HKCR key is a hard requirement.

There's a good reason for that, also fairly explicitly stated in the article, protocol handlers are dangerous. They allow an arbitrary web page to start a program on your machine. They even work inside a Store app, another example of a heavily secured runtime environment that runs code inside a sandbox that stops dangerous operations.

Documenting HKCR doesn't help much unravel this, it was meant for appcompat with 16-bit code and today is an alias. Shows a merged view of both HKCU and HKLM keys. The HKLM keys are different from HKCU keys, writing key values require elevation. Only a program that can acquire a elevated security token can create new values or alter them, normally obtained by going through the UAC prompt. The problem with HKCU keys is that any program can write keys there without elevation. Which would open up a security hole if protocol handlers could be registered in a HKCU key. So this cannot work, urlmon simply doesn't look at the HKCU keys to find the protocol handler.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • 1
    Google Chrome did it without admin access, at least when it first came out. If you click 'Cancel' when you receive admin prompts, then you can still set up http, https, and ftp to be handled by it. So no, this is incorrect. – Katana314 May 11 '14 at 19:12
  • It is up to a browser to choose whether or not to use the urlmon api. Sure, an cross-platform browser like Chrome wouldn't be too keen to special-case code for one platform only. Work from facts instead of assumptions. You can use SysInternals' Process Monitor to see the browser probing the registry. – Hans Passant May 11 '14 at 19:45
  • 3
    This is a deceptive post, and is given more weight than it deserves because of the awarded reputation. It is entirely untrue that the MSDN article states anywhere that writing to HKCR is a hard requirement. The only hard requirements stated in the article are regarding the structure of registry entries that must be created. Registering a URI scheme in HKCU\Software\Classes works absolutely fine for per-user applications. – justind Oct 15 '14 at 20:49
  • 5
    It's not my opinion that registering a URI scheme in HKCU\Software\Classes works--it is a fact. I commented here to keep people from being discouraged by your very matter-of-fact answer. I do not know why the OP had problems to begin with (that they later resolved), which is why I did not post as an answer. – justind Oct 16 '14 at 17:12
  • The information in this post is inaccurate at best, and wrong in many ways. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724475(v=vs.85).aspx HKEY_CLASSES_ROOT is an prioritized combination of HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\Software\Classes With the Current User hive overriding values in Local Machine. – SomeInternetGuy Nov 11 '15 at 18:28