This topic provides information about security considerations related to the Windows Shell. This document cannot provide all you need to know about security issues—instead, use it as a starting point and reference for this specific technology area.
The Shell controls a number of important aspects of the system, including several that present potential security risks if they are not properly handled. This topic outlines some of the more common issues and how to address them in your applications. Remember that security is not limited to Internet-based exploits. On shared systems, including systems that are accessible through Terminal Services, you must also ensure that users cannot do anything that could harm others who share the system.
The majority of potential Shell security issues can be mitigated by correctly installing your application.
Install the application under the Program Files folder.
Operating System
Location
Windows XP, Windows Server 2003, and earlier
CSIDL_PROGRAM_FILES
Windows Vista and later
FOLDERID_ProgramFiles, FOLDERID_ProgramFilesX86, FOLDERID_ProgramFilesX64, FOLDERID_ProgramFilesCommon, FOLDERID_ProgramFilesCommonX86, or FOLDERID_ProgramFilesCommonX64. See KNOWNFOLDERID for specifics.
Do not store user data under the Program Files folder.
Use the appropriate data folder for data that is common to all users.
Operating System
Location
Windows XP, Windows Server 2003, and earlier
CSIDL_COMMON_APPDATA
Windows Vista and later
FOLDERID_ProgramData
Use the appropriate user data folder for data that belongs to a particular user.
Operating System
Location
Windows XP, Windows Server 2003, and earlier
CSIDL_APPDATA, CSIDL_PERSONAL, and others.
Windows Vista and later
FOLDERID_RoamingAppData, FOLDERID_Documents, and others.
If you must install to a location other than the Program Files folder, make sure that you set access control lists (ACLs) properly so that users do not have access to inappropriate parts of the file system. Any data that is specific to a particular user should have an ACL that prevents any other user from accessing it.
When you set up file associations, be sure to properly specify the command line. Use a fully qualified path and wrap any elements that contain white space in quotation marks. Wrap command parameters in separate quotation marks. Otherwise, the string might be incorrectly parsed and the application will not launch properly. Two examples of properly formed command lines are shown here.
The location of the standard installation folders might vary from system to system. To get the location of a standard folder on a particular Windows Vista or later system, call SHGetKnownFolderPath with the appropriate KNOWNFOLDERID value. In Windows XP, Windows Server 2003, or earlier systems, call SHGetFolderLocation or SHGetFolderPath with the appropriate CSIDL value.
Shlwapi
The Shell Lightweight API (Shlwapi) includes a number of string manipulation functions. Using these functions incorrectly can lead to unexpectedly truncated strings with no notification of the truncation being returned. In the following cases, the Shlwapi functions should not be used. The listed alternative functions, which pose fewer risks, should be used in their place.
With functions such as PathRelativePathTo that return a file path, always set the size of the buffer to MAX_PATH characters. Doing so ensures that the buffer is large enough to hold the largest possible file path, plus a terminating null character.
For more information on the alternative string functions, see About Strsafe.h.
Autocomplete
Do not use the Autocomplete feature for passwords.
ShellExecute, ShellExecuteEx, and Related Functions
There are several Shell functions that you can use to launch applications: ShellExecute, ShellExecuteEx, WinExec, and SHCreateProcessAsUserW. Make sure you provide an unambiguous definition of the application that is to be executed.
When providing the executable file's path, provide the fully qualified path. Do not depend on the Shell to locate the file.
If you provide a command-line string that contains white space, wrap the string in quotation marks. Otherwise, the parser might interpret a single element that contains spaces as multiple elements.
Moving and Copying Files
One key to system security is properly assigning ACLs. You also might use encrypted files. Make sure that when you move or copy files, that they are assigned the correct ACL and that they have not been accidentally decrypted. This includes moving files to the Recycle Bin, as well as within the file system. Use IFileOperation (Windows Vista or later) or SHFileOperation (Windows XP and earlier). Do not use MoveFile, which might not set the expected ACL for the destination file.
Writing Secure Namespace Extensions
Shell namespace extensions are a powerful and flexible way to present data to the user. However, they can cause system failure if they are not correctly written. Some key points to keep in mind:
Do not assume that data such as images are formatted correctly.
Do not assume that MAX_PATH is equivalent to the number of bytes in a string. It is the number of characters.
Security Alerts
The following table lists some features that can, if used incorrectly, compromise the security of your applications.
Searches that depend on checking a series of default locations to find a specific file can be used in a spoofing attack. Use a fully qualified path to ensure that you access the desired file.
The first argument, pszFront, must be large enough to hold pszBack and the closing '\0', otherwise a buffer overrun might occur. Be aware that the last argument, cchMax, is the number of characters to copy into pszFront, not necessarily the size of the pszFront in bytes. Use one of the following alternatives instead. StringCbCat, StringCbCatEx, StringCbCatN, StringCbCatNEx, StringCchCat, StringCchCatEx, StringCchCatN, or StringCchCatNEx.
Secure software development means integrating security into each phase of your development lifecycle, from requirements analysis to maintenance. Microsoft provides many services that can help you develop more secure code and deploy a more secure application in the cloud. This learning path provides an overview of the services and offerings available to help you build secure software as part of a cybersecurity solution.The deadline for agencies to comply with NIST/CISA/OMB guidance on security measures for c