Windows Box, MS Office 14: "FileBlock" Registry Keys?

[(PeteCresswell)]

I just troubleshot a Windows box where the user was unable to
save any documents from MS Word (Office 2007).

Googled a little, went down a few dead-end paths, then started
looking around on my own.

Found a "FileBlock" functionality where, if there is a
"FileBlock" registry entry for a file type ("txt", "doc", "docx"
and so-forth) and that entry's data is set to "2", MS Word will
not allow saving the file and throws a dialog to that effect.

Changed them all to "0" and everything looks copasetic.

The Question:

Is there malware that is known to set those entries? Seems
awfully tempting to me - and, coincidentally, I had to remove a
Windows Defender spoof from that same machine a couple of weeks
ago.
--
PeteCresswell

[VanguardLH]

(PeteCresswell) wrote:

> I just troubleshot a Windows box where the user was unable to
> save any documents from MS Word (Office 2007).

Oh, a "Windows box", uh huh. Yep, thar be just one version of Windows,
fer sure.

> Found a "FileBlock" functionality where, if there is a
> "FileBlock" registry entry for a file type ("txt", "doc", "docx"
> and so-forth) and that entry's data is set to "2", MS Word will
> not allow saving the file and throws a dialog to that effect.

Oh, your registry's database has entries that aren't under a hive and
there's no path to get to them because they're are some root level.
Uh huh.

> Changed them all to "0" and everything looks copasetic.
>
> The Question:
>
> Is there malware that is known to set those entries? Seems
> awfully tempting to me - and, coincidentally, I had to remove a
> Windows Defender spoof from that same machine a couple of weeks
> ago.

With the missing information (Windows version and registry key's path),
I did a search on just "FileBlock" in Microsoft's support knowledgebase
using:

http://support.microsoft.com/kb/922848

and got some hits:

http://support.microsoft.com/kb/922848
http://support.microsoft.com/kb/922850
http://support.microsoft.com/kb/937696

So it looks like you found a policy setting available since mid-2007.
We don't know if this user is in a domain to have policies pushed onto
their host. Policies are just registry settings. Obviously any program
can create registry entries and set data items under it if the user is
logging on under an admin-level account (and especially if not running
their web browsers under a limited user access token to restrict
privileges to them while using that admin account).

[VanguardLH]

VanguardLH wrote:

> With the missing information (Windows version and registry key's path),
> I did a search on just "FileBlock" in Microsoft's support knowledgebase
> using:

Oops, submitted too soon. Forgot to include the Google search criteria
that searches Microsoft's KB database *without* wasting time to get past
all the garbage they include for forum posts in a search. I used:

http://www.google.com/search?q=site:support.microsoft.com+fileblock

[(PeteCresswell)]

Per VanguardLH:

> Policies are just registry settings. Obviously any program
>can create registry entries and set data items under it if the user is
>logging on under an admin-level account (and especially if not running
>their web browsers under a limited user access token to restrict
>privileges to them while using that admin account).

That's kind of what I pictured. Putting myself in the position
of a malware author who knew about it, it seemed so tempting that
I had to wonder if maybe some particular malware/virus was
notorious for doing such.

Otherwise, I would have to wonder how Joe User could create such
a situation all on their own - knowing that this particular user
doesn't even know what a Registry is and that they had installed
Office 14 only a couple of weeks ago.
--
PeteCresswell

[VanguardLH]

(PeteCresswell) wrote:

There have long been startup locations in the registry that are hidden
simply because they aren't exposed to users by Microsoft's simplistic
tools, like msconfig.exe. You need to use SysInternals' AutoRuns to see
them all. I even had to notify the WinPatrol author of a couple startup
locations he missed in his Startup monitor (WinLogon notify events,
shell extensions loaded on startup).

BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
You said FileBlock. What's the real name of the registry key (including
the full path to it) that you found?

I tried looking for the FileOpenBlock or something similarly named in
the group policy editor (gpedit.msc) but couldn't find anything. From
the articles, it looks like a template (of security settings) has to get
loaded to incorporate the additional security settings for
FileOpenBlock. Was this host in a domain where policies get enforced
and where the Office template could be pushed?

http://technet.microsoft.com/en-us/library/cc179081.aspx
http://technet.microsoft.com/en-us/library/gg490629.aspx

That explains why I don't see any security settings related to
FileOpenBlock. I've never right-clicked on the local or user
Administrative Templates node in gpedit.msc to install a new security
template (to add its settings) and my home host has never been in a
domain to have policies pushed onto it.

[FromTheRafters]

VanguardLH wrote:
[...]

> So it looks like you found a policy setting available since mid-2007.
> We don't know if this user is in a domain to have policies pushed onto
> their host. Policies are just registry settings.

Not all of them.

Check out the group policy reference to see where settings
are kept for each policy.

http://www.microsoft.com/download/en/details.aspx?id=25250

[...]

[FromTheRafters]

Is there an advantage to be had by malware if it prevents
the user from file manipulations in MS Word or Office in
general?

Chances are, if there is no advantage to it, malware won't be doing it.

[(PeteCresswell)]

Per VanguardLH:

>BTW, the Microsoft KB articles say it is a FileOpenBlock policy setting.
>You said FileBlock. What's the real name of the registry key (including
>the full path to it) that you found?

Give me a day on this. I neglected to make myself a copy of the
file I created on the user's PC that documents the exact
locations/key names.

They'll be sending me a copy pretty soon.
--
PeteCresswell

[(PeteCresswell)]

Per (PeteCresswell):

>Give me a day on this.

Here it is:

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock

Entries for following file types changed from 2 to 0 (Decimal):
HtmlFiles
OpenDocumentText
OpenXmlFiles
RtfFiles
TextFiles
Word2000Files
Word2003Files
Word2007Files
Word97Files
WordXmlFiles
WordXpFiles
--
PeteCresswell

[VanguardLH]

(PeteCresswell) wrote:

> Here it is:
>
> HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock
>
> Entries for following file types changed from 2 to 0 (Decimal):
> HtmlFiles
> OpenDocumentText
> OpenXmlFiles
> RtfFiles
> TextFiles
> Word2000Files
> Word2003Files
> Word2007Files
> Word97Files
> WordXmlFiles
> WordXpFiles

Since the security change is dated back to mid-2007, and since the
registry key names would be FileSaveBlock and FileOpenBlock (not
FileBlock), and since these only appear after an Office adminstrative
template (.adm file) gets installed or pushed onto a host (and you never
mentioned the user was operating a host in a domain where policies can
get pushed), it could be some malware thought it was going to use these
settings in the registry to fuck over the operation of Office components
(Word, Excel) but they screwed up and used the wrong key name in the
registry.

If the host has been disinfected from prior malware, the disinfection
may only target those registry entries the anti-malware author knows
about and only for those keys that have an actual impact on OS or app
behavior or functionality. Disinfection is rarely 100% clean. Even if
the pest has been squashed, there could still be some remnants of it
(like using your wipers and fluid to clean your windshield from a bug
squash but still getting stuck with the streak of splatter).

Since you mentioned the problem was with saving files edited in Word
2007, I suspect the responsible key is FileSaveBlock.

http://support.microsoft.com/kb/945800
"an administrator can add to the registry to restrict the types of files
that can be opened or that can be saved. The administrator can do this
by using the FileSaveBlock subkey."

[(PeteCresswell)]

Per VanguardLH:

>Since you mentioned the problem was with saving files edited in Word
>2007, I suspect the responsible key is FileSaveBlock.

Might be a couple days, but I'll post a screen snap of REGEDIT
if/when I am able to hook back into the user's PC and confirm
whether I got it right or not with just plain "FileBlock".
--
PeteCresswell

[(PeteCresswell)]

Per (PeteCresswell):

>Might be a couple days, but I'll post a screen snap of REGEDIT

Yup... It really is "FileBLock"

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock

viz: http://tinyurl.com/3w35ogu
--
PeteCresswell

[VanguardLH]

(PeteCresswell) wrote:

I haven't any MS info that mentions FileBlock, only FileSaveBlock and
FileOpenBlock. Maybe it's an undocumented "feature".

[(PeteCresswell)]

Per VanguardLH:

>I haven't any MS info that mentions FileBlock, only FileSaveBlock and
>FileOpenBlock. Maybe it's an undocumented "feature".

Drove me nuts for awhile - having the same experience and only
finding FileOpen... and FileSave...

--
PeteCresswell

[rots...@gmail.com]

The following cured two of my installations for the discussed problems (Word refusing to save), which started after attempting to allow opening, editing, and saving ancient Word 6.0 files using the "Trust Center" in Word 2010. It appears that the registry values saved by Word as a result of changing the "trust settings" (the entries listed are not there until you have changes these settings in "Trust Center") are the opposite of what is intended, which leads Word effectively to block all file saving (including docx files) thereafter.

I've tried uninstalling Office 2010 with Revo Uninstaller to sweep all registry entries and reinstalling, but the problem did not disappear. Instead I found a cure by changing all registry entries below from 0x00000002 to 0x00000000. If you thereafter refrain from changing anything in "Trust Center" you will live happily ever after. You you have no need to open RTF files, you might want to delete the RFT line below, since there is a known exploit in RTF files that could benefit from having this file type staying blocked.

To run this fix, open regedit.exe and do the changes manually or, which is faster, save the registry entries below in a file named _something_.reg and File->Import this file in the registry editor.

The following also worked for me but will be entirely on your risk: If you have edited documents that you need to save and have autosave activated, simply kill Word in Task Manager and restart it after having applied the registry fix. You will now be able to save the autorecovered file, provided autosave is working and you have left the file unedited for the period you have set between autosaves.

Cheers, Rataskanken

[SAVE ALL LINES BELOW THIS IN A *.REG FILE AND IMPORT]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]
"OpenXmlFiles"=dword:00000000
"OpenDocumentText"=dword:00000000
"Word2007Files"=dword:00000000
"Word2003Files"=dword:00000000
"WordXmlFiles"=dword:00000000
"WordXPFiles"=dword:00000000
"Word2000Files"=dword:00000000
"Word97Files"=dword:00000000
"HtmlFiles"=dword:00000000
"RtfFiles"=dword:00000000
"TextFiles"=dword:00000000
"Converters"=dword:00000000
"OoxmlConverters"=dword:00000000
"OpenInProtectedView"=dword:00000000