(SST) ShlWAPI.pas Version 1.08

Developer Reference
(SST)ShlWAPI AssocIsDangerous Function
Checks if the specified file suffix/extension or Windows registry program identification entry is perceived as being that of a file type which can jeopardize system security.
Scope
Global (i.e. this function can be called/accessed from code in any unit that includes/uses (SST)ShlWAPI.pas).
Syntax
function AssocIsDangerous(pszAssoc : LPCWSTR) : BOOL;  
Parameters
pszAssoc [in] Pointer to a wide character string containing the file type to check. Typically, this is an extension as listed in the Windows registry under HKEY_CLASSES_ROOT. That is, the actual extension, preceded by the period used to separate it from the file name. However, it may also be a program identification string, as found under the same root key.
Return Values
The function returns TRUE if the specified file extension or program identification registry name is associated with a file type that has the potential to to be harmful to the system, FALSE (= 0) if not.
Remarks
The function may be called with either a file extension (e.g. ".png", without the quotation marks) or the name of the HKEY_CLASSES_ROOT registry key under which further details are stored (aka the program id), such as the user friendly text describing the file type, the source/location of the icon used to display files of that particular type in Windows Explorer, and the application used to open it with. In its simplest form, the program id is the file extension from which the period was omitted and to which "file" (without the quotaion marks) was appended. For example; the registry key under which this information is typically stored for the file extension .png, is "pngfile" (without the quotation marks). Thus, calling the function with .png or pngfile should produce identical results.
If the function is called with a file extension as the parameter, it must include the period used to separate it from the file name (i.e. as listed in the registry under HKEY_CLASSES_ROOT). Otherwise, the function will always return FALSE, even if the extension is that of potentially harmful file type (see example and output, below).
Further information on the registry entries that are used in file assocations in general and the program ids referred to here in particular, can be found in the Microsoft articles "How Associations Work" and "Programmatic Identifiers".
It has to be emphasized that when the function returns FALSE, this does not mean that a file of the specified type is harmless and that no further security measures such as malware detection software, quarantining, etc., need to be applied to files with with that particular extension.
According to the Microsoft documentation accompanying SDK 6.1, various procedures and sources are used in determining whether or not a particular file type constitutes a potential security risk, some of which are mentioned in the article describing the function (which see). However, the described procedures and sources are those that were implemented in Windows versions up to and including Windows Server 2003, and these, although presumably still in place in later versions, may have undergone revision and/or been supplemented since.
The function appears not to have been officially documented prior to the documentation accompanying Windows SDK Version 6.1.
In the first versions of the Microsoft SDK in which it was declared (6.0A & 6.1), the function was enclosed in the compiler directive "#if (_WIN32_IE >= 0x0601)". However, no version 6.01 of ShlWAPI.dll (and/or Internet Explorer, for tha matter) seems to ever have been released/distributed. Based on the definitions in sdkddkver.h though, it is safe to assume that what was (probably) meant by this is/are the 6.0.xxxx.yyyy version(s) that ship(ped) with IE 6 SP 1.
Example
PROCEDURE TForm4.TestShlWAPIAssocIsDangerous(Sender : TObject); VAR apiretval : BOOL; VAR wchartype : WideString; VAR newinfoline : STRING; BEGIN apiretval := FALSE; wchartype := ''; newinfoline := ''; wchartype := '*'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '*'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.txt'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.txt'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.sys'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.sys'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.drv'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.drv'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.cpp'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.cpp'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.flex'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.flex'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.com'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.com'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.exe'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.flex'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := 'pngfile'; //Note the use of a program id instead of a file extension newinfoline := 'AssocIsDangerous called with/for extension/type ' + 'pngfile'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := 'dllfile'; //Note the use of a program id instead of a file extension newinfoline := 'AssocIsDangerous called with/for extension/type ' + 'dllfile'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := 'bat'; //Note the missing period ! newinfoline := 'AssocIsDangerous called with/for extension/type ' + 'bat'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.bat'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.bat'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := 'inf'; //Note the missing period ! newinfoline := 'AssocIsDangerous called with/for extension/type ' + 'inf'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); wchartype := '.inf'; newinfoline := 'AssocIsDangerous called with/for extension/type ' + '.inf'; Memo1.Lines.Add(newinfoline); apiretval := AssocIsDangerous(PWideChar(wchartype)); IF apiretval = TRUE THEN newinfoline := 'Returned TRUE for the extension/type ' + AnsiQuotedStr(wchartype, '"') ELSE newinfoline := 'Returned FALSE for the extension/type ' + AnsiQuotedStr(wchartype, '"'); Memo1.Lines.Add(newinfoline); Memo1.Lines.Add(''); END;
On one of our Windows Vista systems the above code produced the output shown below. However, when run on other systems and/or under other Windows versions the output may deviate significantly.
AssocIsDangerous called with/for extension/type * Returned FALSE for the extension/type "*" AssocIsDangerous called with/for extension/type .txt Returned FALSE for the extension/type ".txt" AssocIsDangerous called with/for extension/type .sys Returned FALSE for the extension/type ".sys" AssocIsDangerous called with/for extension/type .drv Returned FALSE for the extension/type ".drv" AssocIsDangerous called with/for extension/type .cpp Returned FALSE for the extension/type ".cpp" AssocIsDangerous called with/for extension/type .flex Returned FALSE for the extension/type ".flex" AssocIsDangerous called with/for extension/type .com Returned TRUE for the extension/type ".com" AssocIsDangerous called with/for extension/type .exe Returned TRUE for the extension/type ".exe" AssocIsDangerous called with/for extension/type pngfile Returned FALSE for the extension/type "pngfile" AssocIsDangerous called with/for extension/type dllfile Returned FALSE for the extension/type "dllfile" AssocIsDangerous called with/for extension/type bat Returned FALSE for the extension/type "bat" AssocIsDangerous called with/for extension/type .bat Returned TRUE for the extension/type ".bat" AssocIsDangerous called with/for extension/type inf Returned FALSE for the extension/type "inf" AssocIsDangerous called with/for extension/type .inf Returned TRUE for the extension/type ".inf"
Requirements
Unit: Declared and imported in (SST)ShlWAPI.pas
Library: (SST)ShlWAPI.dcu/(SST)ShlWAPI.obj
Unicode: Implemented as Unicode (AssocIsDangerousW) function only.
Min. ShlWAPI.dll version according to MS SDK doc.: 6.01
Min. ShlWAPI.dll version based on SST research: 6.0
Min. OS version(s) according to Microsoft SDK doc.: Windows XP Service Pack 1 (SP1), Windows Server 2003
Min. OS version(s) according to SST research.: Windows 2000 and later with IE 6 SP 1
See Also
AssocGetPerceivedType.
 
Windows APIs: AssocCreate, AssocGetPerceivedType, AssocIsDangerous, AssocQueryKey, AssocQueryString, AssocQueryStringByKey, IQueryAssociations


Document/Contents version 1.00
Page/URI last updated on May 04, 2022
 
Copyright © Stoelzel Software Technologie (SST) 2010 - 2015
Suggestions and comments mail to:
webmaster@stoelzelsoftwaretech.com