You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1 (896054)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Windows Millennium Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

After you install security update 896358, security update 840315, or Microsoft Windows Server 2003 Service Pack 1 (SP1), you may experience the following symptoms:
  • If you have installed security update 896358 or Windows Server 2003 SP1, you may experience the following symptoms:
    • The features of some of Web applications on the computer no longer work. For example, a topic may not be displayed after you click a link.
    • When you try use a Universal Naming Convention (UNC) path to open a Compiled Help Module file (.chm file) on a network shared folder, topics in the .chm file do not appear.
  • If you have installed security update 840315, the Web applications that nest protocols within the InfoTech protocols in a URL do not work correctly on the computer.
Note This article contains information that is supplemental to the following Microsoft Knowledge Base articles:

896358 MS05-026: A vulnerability in HTML Help could allow remote code execution

840315 MS04-023: Vulnerability in HTML Help could allow code execution

CAUSE

Windows Server 2003 SP1 and security updates 896358 and 840315 include changes to the InfoTech protocol. These changes were introduced to reduce security vulnerabilities in HTML Help.

RESOLUTION

Warning The symptoms are an expected and intended effect of installing the security updates. This section provides workarounds to re-enable features of business-critical programs. The workarounds may make the computer more vulnerable to the threats that the security updates address. The safest course is not to use the registry workarounds. If you must use workarounds, set the registry values to be as restrictive as possible.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The first of the following examples is the most restrictive example. The next examples are successively less restrictive.

Example 1: How to use UrlAllowList to enable specific URLs

Warning Include only URLs to sites that you trust completely.

The following .reg file re-enables use of the InfoTech protocol to open remote content from the following locations:
  • .chm files on \\productmanuals\helpfiles
  • A Web application at the following URL:

    http://www.wingtiptoys.com/help/

Note You can paste the following text in a text editor such as Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\\\\productmanuals\\helpfiles;file://\\\\productmanuals\\helpfiles;http://www.wingtiptoys.com/help/"
Note As you can see from the example, to enable a UNC path to a network shared folder, you must add the following two entries:

\\productmanuals\helpfiles\;file://\\productmanuals\helpfiles

You cannot use wildcard characters in the URL string of any site that is added to the UrlAllowList registry key. For example, the following string does not work:

"UrlAllowList"="http://*.wingtiptoys.com"

However, the following string works:

"UrlAllowList"="http://help.wingtiptoys.com"

This string lets the following sites serve content by using the InfoTech protocol:
  • http://help.wingtiptoys.com/research
  • http://help.wingtiptoys.com/sales
You still cannot access .chm files by using a URL. Although we do not recommend that you do this, you can access the files by following example 2 and setting the "MaxAllowedZone" to three or larger. This is because the .chm file uses the Internet Explorer cache and every page that comes from the cache uses the Internet zone. Therefore, we highly recommend that you use the UNC path to access the Help files as previously described.

Example 2: How to use the MaxAllowedZone value to enable a security zone

Warning The MaxAllowedZone value enables all sites in a specific zone. Using UrlAllowList as described in example 1 may be safer. If you must use the MaxAllowedZone value, set it no higher than you must. If you set the value to 3 or higher, you expose your systems to attack from the Internet.

Note By default, the MaxAllowedZone value is set to zero. The following table summarizes how different entries are interpreted by the MaxAllowedZone value.
MaxAllowedZoneLocal Machine zoneLocal intranet zoneTrusted sites zoneInternet zoneRestricted sites zone
0AllowedBlockedBlockedBlockedBlocked
1AllowedAllowedBlockedBlockedBlocked
2AllowedAllowedAllowedBlockedBlocked
3AllowedAllowedAllowedAllowedBlocked
4AllowedAllowedAllowedAllowedAllowed
The following .reg file re-enables use of the InfoTech protocol to connect to all systems in the Intranet zone.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001

Example 3: How to use both UrlAllowList and the MaxAllowedZone value

Warning The MaxAllowedZone value enables all sites in a specific zone. Using UrlAllowList as described ini example 1 may be safer. If you must use the MaxAllowedZone value, set it no higher than you must. If you set the value to 3 or higher, you expose your systems to attack from the Internet.

The following .reg file re-enables use of the InfoTech protocol to connect to all content in the Intranet zone and to two Internet sites.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="http://www.wingtiptoys.com/;http://www.contoso.com/"

Example 4: Use NestedProtocolList to enable nested protocols within a URL

Certain Web applications may use nested protocols within a URL. This feature was removed from HTML Help with security update 840315. After you install this security update, Web applications that use nested protocols within a URL may not work correctly.

For example, the following URL may not work:

ms-its:http://www.proseware.com/helpfiles/help.chm::about.htm



After you install security update 896358, the following .reg file re-enables the HTTP and FTP protocols to be nested in a URL.

Note You can paste the following text in a text editor such as Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"NestedProtocolList"="http:;ftp:"

How to deploy the registry keys across a domain

We recommend that you deploy the settings in the previously mentioned examples as startup scripts by using Group Policy. You can also deploy these settings as logon scripts. However, this method is less desirable because of permission constraints.

The following steps are an example of how to deploy the settings in "Example 1" as a Group Policy startup script.
  1. Paste the following text into a text editor such as Notepad.
    REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\\\\productmanuals\\helpfiles;file://\\\\productmanuals\\helpfiles;http://www.wingtiptoys.com/help/"
  2. Save the file as a .reg file named AllowTrustedSites.reg.
  3. Copy the following text, and then paste the text into a text editor such as Notepad.
    REGEDIT.EXE /S AllowTrustedSites.reg
  4. Save the file as a batch file named AllowTrustedSites.bat.
  5. Import the batch file into the Group Policy object (GPO). To do this, follow these steps:
    1. Copy the batch file that you created in step 4 and the .reg file that you created in step 2 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
    2. On the computer where you want to run the Group Policy object, click Start, click Run, type dsa.msc, and then click OK.
    3. Right-click your domain, and then click Properties.
    4. Click Group Policy, and then click New.
    5. Type the name that you want to use for this policy, and then press ENTER.
    6. Click Edit.
    7. Expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), double-click Startup in the right panel, and then click Add in the Startup Properties dialog box.
    8. Locate and then click the AllowTrustedSites.bat file, and then click Add.
    9. Click OK, click Yes, click OK, and then click OK again.

MORE INFORMATION

Overview and examples for system administrators

For more information about security update 896358 and how you can re-enable Web applications that are affected by this update, click the following article number to view the article in the Microsoft Knowledge Base:

896358 MS05-026: Vulnerability in HTML Help could allow remote code execution

Internet Explorer Enhanced Security

If Internet Explorer Enhanced Security is enabled, you may experience symptoms that are similar to those described in this article. In this case, the workarounds in this article may not be sufficient to resolve the symptoms. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

815141 Internet Explorer Enhanced Security configuration changes the browsing experience

More information about the InfoTech protocol

The InfoTech protocol is primarily used by HTML Help. The functionality of this protocol is provided by the Itss.dll file. You can access this protocol by using one of the following supported schemes:
  • Ms-its
  • Its
  • Mk:@msitstore

Internet Explorer security zones

For more information about how to use security zones in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:

174360 How to use security zones in Internet Explorer

Group Policy

For more information about Group Policy, visit the following Microsoft Web sites:

Technical support for x64-based versions of Microsoft Windows

On computers that are running x64-based versions of Microsoft Windows, you may have to adapt the instructions in the "Resolution" section about how to modify the registry. For example, you might have to modify a different part of the registry, depending on whether you want to modify the 32-bit or the 64-bit functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896459 Registry changes in x64-based versions of Windows Server 2003 and Windows XP Professional x64 Edition

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Modification Type:MinorLast Reviewed:8/2/2006
Keywords:kbhowto kbtshoot kbHTMLHelp100fix kbprb KB896054 kbAudEndUser kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.