Site menu:



Windows XP > Windows XP How To's


Restrict HTML Help from Running Executables

By:

HTML Help is nifty, but there have been a number of security breaches recently involving it. We can add a system policy to specify which Help files can use the Shortcut and WinHelp commands (The Shortcut command is used to run a program that is external to the help file, the WinHelp command runs Winhlp32.exe to display .hlp files). You can also use the policy to completely disable the commands on the system. To do this, you must be the system administrator on the computer.

To enable the commands for the default help file locations:

  1. Start the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ System
  3. Select New > String Value from the Edit menu
  4. Name the new value HelpQualifiedRootDir
  5. Double-click HelpQualifiedRootDir and add the Value data %windir%\help;%windir%\pchealth\helpctr;%program files%
  6. Exit the registry editor

Note: Multiple locations are separated by semicolons (;). Only folders on the local computer are allowed. You cannot use a mapped network drive or UNC path.

To disable the commands for all Help files:

  1. Start the Registry Editor
  2. Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ System
  3. Select New > String Value from the Edit menu
  4. Name the new value HelpQualifiedRootDir
  5. Do not give the HelpQualifiedRootDir any value (or delete an existing value)
  6. Exit the registry editor

When a user tries to use one of the commands in a Help file that does not have permission, nothing happens. The command is not executed, and no error message is displayed.