Does the EnforceShellExtensionSecurity policy work as intended on Windows 7 and higher versions?

Question

Does the EnforceShellExtensionSecurity policy work as intended on Windows 7 and higher versions?

Andy Ful 6

I tested the policy EnforceShellExtensionSecurity on several machines with different versions of Windows. The policy can be enabled with Registry keys:

Registry Hive: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
Registry Path: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: EnforceShellExtensionSecurity
Value Type: REG_DWORD
Enabled Value: 1
Disabled Value: 0

It works as intended on Windows XP (both for HKCU and HKLM Hives).
It does not work as intended on Windows 7, Windows 10, and Windows Server 2019.

As a testing application, I used the 7-ZIP archiver. It adds the proper CLSID under the key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

When this CLSID is removed (system restarted) the 7-ZIP shell extension still works on
Windows 7, Windows 10, and Windows Server 2019. When the same is done on Windows XP, then the 7-ZIP extension is blocked (7-ZIP options disappear from the right-click File Explorer context menu).

Many resources (including Administrative Templates) claim that this policy works on Windows 2000 and higher versions.

I found the information on the below website:
https://www.geoffchappell.com/studies/windows/shell/shell32/api/util/restrictions.htm

ID | 0x00100000
Symbolic Name : REST_ENFORCESHELLEXTSECURITY
Key : Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value : EnforceShellExtensionSecurity
Availability : version 4.0 (NT only) to 6.0

It suggests that the EnforceShellExtensionSecurity policy works up to Windows Vista.

So, I would like to ask :

Why 7-ZIP extension is not blocked on Windows 7 and higher versions?
What concrete shell extension is not blocked on Windows 10?

1 answer

Your answer

Answer 1

Reza-Ameri 17,341 Volunteer Moderator

In case you want this policy to become available in Windows 10 or Windows 11, you may open start and search for feedback and open the Feedback Hub app and share your concern.
Security model for Windows 10 has changed and you have alternative methods to protect your device.
For example, you may try blocking applications using AppLocker which is inside the Group Policy, and you don't need to do registry modification.
Support for the Windows 7 is also ended and there won't be any new update for this version of Windows.

Andy Ful 6 Reputation points

2022-06-05T20:21:09.897+00:00

Thanks for your response. But, I am not sure If I understand your answer.
I do not want this policy to become available on Windows 10 or 11. I do not also need help with applying a security model. I know very well SRP, Applocker, and MDAC.
I have a serious concern that this policy does not work as intended on all Windows versions supported by Microsoft. So, I want to clarify if the information about this policy in Microsoft ADMX and almost all sources that one can find on the web, is correct. If it is not correct then it should be updated by Microsoft.
Reza-Ameri 17,341 Reputation points Volunteer Moderator

2022-06-06T15:25:58.243+00:00

The link you shared is from non-Microsoft website.
Could you share the resource from the Microsoft website which need update, so I would guide you on reporting this issue.
Andy Ful 6 Reputation points

2022-06-06T16:06:40.967+00:00

Here are two examples:
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnforceShellExtensionSecurityI found
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#admx-windowsexplorer-enforceshellextensionsecurity

But, I also opened this thread to confirm the issue by others. My tests show only that this policy does not work as intended. But I did not prove that it does not work at all.
Andy Ful 6 Reputation points

2022-06-06T16:12:27.69+00:00

Sorry. The first link is corrupted. Here is the proper link:
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnforceShellExtensionSecurity
Reza-Ameri 17,341 Reputation points Volunteer Moderator

2022-06-07T15:12:31.823+00:00

If you scroll down to the end of the page, you will see option to share feedback and the picture is like the following:

You may click this page and navigate to GitHub and share your comment and share you manage to reproduce this and the authors will check your request and try reproduce it and update the page if necessary.
Andy Ful 6 Reputation points

2022-06-07T20:00:09.7+00:00

Thanks. I am still waiting for someone who knows more details about this policy. If nothing will happen, then I will use your advice.
Reza-Ameri 17,341 Reputation points Volunteer Moderator

2022-06-08T17:42:46.673+00:00

It is always good idea to share feedback, the team will review and if it already exists, they will let you know, otherwise they will update the article and, in any case, sharing is a good idea.
Andy Ful 6 Reputation points

2022-06-14T15:35:37.34+00:00

Done.
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10622

Share via

Does the EnforceShellExtensionSecurity policy work as intended on Windows 7 and higher versions?

1 answer

Your answer