hey, its me again – bringing back a functionality that was removed from microsoft since Windows 2012 (or Windows 8), yay. this is not the first time that im coding a tool to recreate a missing feature that was working in older Windows versions (check my blog for volume.exe).

UPDATE 02.10.2018: Version 1.7.1 fixed false positive detections for some AV (incl. Defender)

UPDATE 23.08.2018: Version 1.7 adds get and del parameters, comment char # for config files, EULA

UPDATE 17.06.2018: Version 1.6 adds support for protocols (except http and https) on build 1607 and lower

UPDATE 14.12.2017: Version 1.5 adds support for Windows 8.x and Server 2012/R2

UPDATE 10.12.2017: Version 1.4 adds support for protocols like mailto, https, etc. (only for 1703 and up)

UPDATE 26.11.2017: Version 1.3 can now set multiple file type associations based on a config file.

UPDATE 04.11.2017: Version 1.2 completely rewritten in C to avoid AV false positives.

UPDATE 29.10.2017: Version 1.1.1 includes small changes due AV false positive detections.

UPDATE 28.10.2017: Version 1.1 can now check for Group Memberships.

SetUserFTA sets User File Type Associations per command line or script on Windows 8/10 and Server 2012/2016/2019.

ATTENTION: Windows 1803 and 1809 have an issue with file type associations after the october update. Microsoft is working on a resolution and estimates a solution will be available in late November 2018. UPDATE 06.12.2018: Microsoft has released a fix for 1803 (KB4467682) and (KB4469342) for 1809.

the story:

recently i had to fight a lot with windows file type associations. microsoft changed the way how it works drastically and it is a pain for an administrator to set or to roam FTA’s. if you followed my blog, you noticed that i already have two posts about FTA on server 2016. hopefully this one will be the last – because its the missing piece of the puzzle!

i will just quote microsoft on this issue (or feature?):

In Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry. However In Win 8, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.

Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:

you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.

the hash is secret. Microsoft will not share it with you and obviously doesnt even share it with Citrix – this made me angry and angry me doesnt like a broken system. because i am into reverse engineering and security, i decided to look for the hash algorithm – and yes, i succeeded.

but ever thought about why microsoft is doing this? is it really about malware hijacking or maybe it is all about “setting our defaults and you must accept them”? why not simply display a popup where the user has to confirm an FTA change?

<TL><DR> a filetype is protected by a hash in the user registry – for example: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice\Hash if the secret hash doesn’t match, the file type association is not being used and the system default kicks in. SetUserFTA generates this secret hash for a supplied extension. </TL></DR>

how to use SetUserFTA:

i made it very easy for you and the only thing you have to supply is the extension and the ProgId (optional since Version 1.1, a groupname). it works just like assoc.exe:

SetUserFTA.exe extension progid (optional:Groupname) or SetUserFTA.exe configfile and since v1.7 SetUserFTA.exe get will show all protected filetypes, just like GetUserFTA SetUserFTA.exe del extension will delete an association from the user registry

Example:

SetUserFTA.exe .pdf AcroExch.Document.DC

this will associate .pdf file with Acrobat Reader for the current user.

SetUserFTA.exe .pdf AcroExch.Document.DC “Adobe Acrobat Users”

this will associate .pdf files with Acrobat Reader only if the current user is member of the “Adobe Acrobat Users” group. if the group contains spaces, you must use quotes.

SetUserFTA.exe \\mydomain.local\fileshare\SetUserFTAconfig.txt

this will read all associations from the config file and set them. the file can be on a share or locally. just add every filetype on a new line like this:

.pdf, AcroExch.Document.DC, GRP_Adobe_Reader

values have to be separated by a comma. the group is optional.

using a config file, group names with spaces must not use quotes (but using SetUserFTA per command line they have to).

Note: you can supply a domain with the group name like “DOMAIN\Adobe Reader” or even in UPN format.

a valid config file could look like this (since v1.7 you can add comments by starting a line with #):

to create such a config file, you can run “SetUserFTA get >config.txt“. since version 1.4 SetUserFTA also supports protocol handlers in the config file (mailto, https, http, etc) – but http and https will be ignored on Windows 1607. use SetDefaultBrowser instead.

you can find the ProgId’s also in the registry or with assoc.exe. the easiest way to get what you need, is to manually associate a software with a filetype and then use “SetUserFTA get” or check this registry key for the values (replace .log with your extension):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\UserChoice

SetUserFTA will get the current users SID, the registry timestamp and calculates the hash. it will write it (including the ProgId and the extension) to the user registry under the subkey referenced above.

how can i deploy this?

here are some ideas (if i missed a good one, please let me know):

use the logon script feature in a GPO (my favorite way)

powershell login script in a GPO

a legacy bat/cmd logonscript

the Run or RunOnce registry key in HKEY_CURRENT_USER

the startup folder in the startmenu

any software deployment solution like SCCM

a scheduled task

GPO: User Configuration\Administrative Templates\System\Run These Programs at User Logon

Citrix WEM (blog post by James Kindon)

VMware UEM (blog post by Ivan de Mes)

its up to you. be creative 😉

IMPORTANT: SetUserFTA must run in the users context – no administrative or system privileges. sometimes the timing can be important aswell – make sure it runs after the profile of the user is loaded.

Example:

Tips:

here are some tips which can help you to find the associations that you need:

assoc.exe | find “.txt” – this will list the ProgId for txt files

– this will list the ProgId for txt files ftype.exe | find “txtfile” – will list the executable associated with the ProgId txtfile

– will list the executable associated with the ProgId txtfile reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\ .txt \UserChoice /v ProgId – gets the ProgId of the User FTA for your file extension

if you encounter a ProgId that looks like “ Applications\uedit64.exe “, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround.

“, you need to deploy the corresponding entry from “HKEY_CURRENT_USER\SOFTWARE\Classes” aswell. to roam it with UPM in a Citrix environment you can use my workaround. you can override HKLM associations (ProgId’s) in HKCU. for example: HKEY_CLASSES_ROOT\.vsdx can be imported to HKEY_CURRENT_USER\SOFTWARE\Classes\.vdx and then it will be prefered. if you do that, you need to roam it properly (UsrClass.dat).

if you still see the OpenWith dialog (especially after adding new applications: “keep using this app“) you can disable this feature with this registry key:[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]

“NoNewAppAlert”=dword:00000001

this registry key also works with HKEY_CURRENT_USER!

the GPO Do not show the ‘new application installed’ notification (Windows Components, File Explorer) will only work on HKLM – but its also an option to disable this popup

F.A.Q.

where did you get the hash algorithm from?

i reverse engineered it.

does this mean you did reverse engineer windows itself to recover the algorithm?

exactly.

which tools did you use for that?

which language have you used to code the app?

v1.0 – v1.1.1: assembly. compiled in Tasm (Borland Turbo Assembler) – i know, very oldschool.

v1.2 and up: gcc and Microsoft Macro Assembler (to create an obj file).

v1.4 is now fully coded in C/gcc

v1.7 is compiled in tcc

v1.7.1 is using gcc again, because tcc caused to many antivirus false positives

by assembler you mean machine code?

yes.

which platforms does this work on?

i have tested it on windows 8/10 and server 2012/2016/2019 up to build 1809.

is it 32bit compatible?

yes. x64 and x86 (the binary is 32bit).

can i have the source code?

no.

is unicode supported?

group names can contain unicode characters, but extensions or ProgId’s not. the “get” parameter supports unicode already.

can it also generate hashes for protocols (http, mailto, etc)?

yes, but http and https wont work on 1607 or lower. please use my SetDefaultBrowser instead.

are there any other limitations?

not at the moment. version 1.2 adds verbose output and some basic error handling.

can i break something with your app?

not really. the only thing that can go wrong are the file type associations, but it will only affect the current user and not the machine. the del parameter is destructive, but if you do something wrong, it can be fixed by using SetUserFTA again with proper parameters.

which privileges are needed to run this app?

just plain user privileges.

thats great work, can i donate somehow?

yeah – see below the paypal button.

Download

here you can download SetUserFTA v1.7.1. SHA256 hashes below.

SetUserFTA.zip:d551295c779bdb3750ddba8e781c21a3dd42a55578f818e9c789b2ba1b4dcf47 SetUserFTA.exe:791dc39f7bd059226364bb05cf5f8e1dd7ccfdaa33a1574f9dc821b2620991c2

Version 1.1 – adds support for group membership checking

Version 1.2 – is completely rewritten in C. it also offers now verbose output on errors

Version 1.3 – new funtionality: multiple file type associations with a configuration file

Version 1.4 – support for protocols like mailto, https, http, etc (only for Windows 1703 and newer)

Version 1.5 – support for Windows 8.x and Server 2012/R2

Version 1.6 – added protocols (except http and https) support on 1607 or lower builds

Version 1.7 – get and del parameters added, # char for comments in config files, EULA

Version 1.7.1 – fixes false positive antivirus detections



help to keep this project and this blog alive – consider donating:



if you prefer cryptocurrencies, please contact me for the details. Thank you!

please report issues to bugs @ mydomain. thanks.