Closed ghost closed 2 years ago
Did you have any problem with the setting
It interfered with Bandizip.
Are you sure? I installed Bandizip on Windows 10 and it did not add any shell extension to the keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Despite this and the fact that I use EnforceShellExtensionSecurity restriction, I have several functional Bandizip shell extensions (right-click Explorer menu): 5 entries for packed zip file 4 entries for unpacked file
Your post directed my attention to the EnforceShellExtensionSecurity policy. I tested it on Windows 10, 7, Vista, and XP. The policy works well on Windows XP. I installed 7-ZIP which during the installation creates CLSID under the key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved After removing this CLSID the 7-ZIP shell extension disappears from the Explorer context menu. But, doing the same on Windows 10, 7, and Vista (SP2) did not change anything. I could still use the 7-ZIP extension even after removing CLSID (and restarting the computer).
Could you confirm if renaming the CLSID of Bandizip shell extension under the key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved and restarting the computer, can have any impact on the functionality of the Bandizip entries on the Explorer context menu?
I made some extensive research and found this:
ID | 0x00100000 Symbolic Name : REST_ENFORCESHELLEXTSECURITY Key : Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Value : EnforceShellExtensionSecurity Availability : version 4.0 (NT only) to 6.0
https://www.geoffchappell.com/studies/windows/shell/shell32/api/util/restrictions.htm
The Microsoft ADMX help: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnforceShellExtensionSecurity claims that the policy EnforceShellExtensionSecurity should work for at least Windows 2000. But from the above website, it follows that it probably works only up to Windows NT 6.0 (Windows Vista).
So does that mean the H_C feature does nothing in 10 and 11?
Post updated
The Microsoft ADMX settings and many reliable resources on the web recommend this policy. My quick test cannot disproof this. It would be helpful if others could test this policy to confirm my results. The test is very simple:
I found one user who asked Microsoft about this issue. He got the answer that some extensions can be not blocked, but generally, the policy should work.
Got it. Still, my original feature request would be a nice implementation and I'd find it easier to recommend enabling this to people in my guide.
As you can see, this policy is not included in the H_C Recommended_Settings. Why do you want to recommend it? Are you sure that it works on your computer? It is possible that I will remove it If my tests will be negative. Anyway, if you will find that it works well on your computer, please let me know.
This software is really great, I use it daily, and I've also recommended it wholeheartedly in my security guide on my website.
However, a feature that could really improve this software is a GUI for managing the shell extensions (after enabling Shell Extension Security), kind of like the SRP whitelist GUI.
It'd be nice if it would list all existing Shell Extensions, and an option to move them in or out of the Approved list. It's kind of tedious to do it manually, and this would entice more people to use that feature.