Administrators trying to come up with a proactive way to block spyware from infesting workstations often have to make difficult choices. Restricting the functionality of IE to prevent spyware from taking root can be cumbersome. Third-party programs require installation and maintenance to be useful. Switching to another browser doesn't always resolve the problem, either, as there are now breeds of spyware that operate through Netscape/Mozilla as well.

Most spyware installs through an ActiveX plug-in when a browser window is opened. Disabling ActiveX controls entirely can cripple IE to the point where many legitimate sites don't work at all, and using the Trusted and Restricted Sites feature in IE isn't always helpful either. One way to stop spyware from installing itself is to attack it in the Registry, by preemptively blocking specific ActiveX controls from being installed.

The way this is done is via a little-known function of ActiveX controls called the "kill bit," as described in Microsoft Knowledge Base article 240797. The "kill bit" is a flag in the Class Identifier, or CLSID, for the ActiveX control. The CLSID for any given ActiveX component is found in the Registry, under HKEY_CLASSES_ROOTCLSID, but Internet Explorer maintains a separate list of compatible ActiveX controls in HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility.

To disable a particular control, add the CLSID for that control as a new subkey under ActiveX Compatibility, and under that subkey add a DWORD value named Compatibility Flags. Set this value to 400 hex, or 1024 decimal. For instance, if you wanted to create a .REG file that blocked the CLSID {00000000-5eb9-11d5-9d45-009027c14662}, it would look like this:


[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerActiveX Compatibility{00000000-5eb9-11d5-9d45-009027c14662}]
"Compatibility Flags"=dword:00000400

Because CLSIDs are meant to be globally unique, once a control is blocked in this fashion it is blocked permanently (unless it is withdrawn and reissued with a new CLSID).

The site has a regularly-updated .REG file that contains over 300 ActiveX controls known to be spyware. The .REG file does not interfere with any other functions of IE or the system and can interoperate with other spyware-blocking products. An administrator can roll out this .REG file in an automated fashion via SMS, or even add it to freshly-imaged systems as part of a post-installation configuration.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

This was first published in June 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.