After pouring through the stuff in the previous post, the best solutions seems to be a new file I totally scammed from one of the web pages (http://www.lansweeper.com/forum/yaf_postsm3186_Offer-Remote-Assisstants-for-Custom-Action.aspx). But before talking about that, let's talk about how Offer Remote Assistance actually works.
If you go into Start, Help and Support, you're actually running helpctr.exe. Helpctr.exe is actually a web browser. It's a special web browser, though...to put it bluntly, it is a web browser that has no security whatsoever. The "Offer Remote Assistance" page (accessible in "Help and Support" by going to "Use Tools to view...") is nothing more than an HTML page. You can access it directly using this URL:
hcp://cn=microsoft%20corporation,l=redmond,s=washington,c=us/Remote%20Assistance/Escalation/Unsolicited/unsolicitedrcui.htm
The page has a lot of scripts and an instance of the actual Remote Assistance ActiveX control. But you'll note that you don't get prompted to allow it to use the control--it just does.
Help and Support is actually just a library of HTML files. Some of them take parameters. Back when XP originally came out, someone figured out that you could put a link (like the one above) on a web page, get someone to click it, and do all sorts of nasty things--even with the files already built into Help and Support.
Microsoft's fix to this was to change the way the HCP protocol was registered. Clicking an HCP:// link just fires up helpctr.exe and passes it the URL with the -URL parameter of the program. Now, they've added a "-FromHCP" parameter to the program as well, and the setup in the registry passes this parameter. What this does is prevents helpctr.exe from processing anything in the querystring of the URL; instead, if the URL has a querystring, helpctr.exe opens and just displays an error. To open an hcp link with a querystring, you have to fire off helpctr.exe manually, using the following command (I'm just taking the url from above, obviously there's no query string on this one):
%windir%\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe -url hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/UnsolicitedRCui.htm
If you just click an hcp:// link, Windows actually fires off this command:
%windir%\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe -FromHCP -url hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/UnsolicitedRCui.htm
OK, now with all that talk, what's the problem? Obviously I found a great replacement htm page for Remote Assistance that I can pass a parameter to. The problem is that I want to just put a link within my web page that will fire up this htm file with a query string. But the -FromHCP parameter will make that error out. So now I have two choices:
1. Create an ActiveX control of my own that I can have users install that will fire up the full command line to helpctr.exe
2. Modify my user's registration for HCP to remove the -FromHCP parameter
Both are ugly. #1 is more difficult to support and roll out, and #2 is a security risk. I'm leaning towards #2, but it means that I need to modify our firewall to ensure that any page that contains an HCP link gets blocked.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment