A Whirly Wiry Web article about Launch-in-IE - Web pages can start applications. Securely. Authored by RockinFewl.
Query words: start application from web page,start application from html,start application from internet explorer,start command line from web page,start command line from html page,launch command line from html,launch command line,start executable,launchinie,launch-in-ie,Particle,intralaunch,free component,free Activex.
This article applies to MSIE 4+ | Windows 9x, Me, NT, 2000 | Intranet.
Article styled for generic XHTML1 capable agents. Parts considered incompatible are marked [Part not rendered to your browser].
You may obtain this article styled for Microsoft Internet Explorer 5+ here.
A web page can't readily start an application on the client's computer: quite a few webmasters run into this problem.
This article presents the free LaunchinIE ActiveX Control that will enable HTML pages to start whatever application on the client's machine, without security warnings.
To ensure security, LaunchinIE needs to be carefully configured client-side; due to this restriction it's only fit for intranet use.
At last, web pages can start Word, Excel, or any other corporate application without complaints. Securely.
Perhaps you're familiar with the Windows Scripting Host (WSH) control, coming with all recent Windows systems.
Among other things, WSHShell is capable to execute command lines and hence start applications.
As a security measure, WSHShell is not marked safe for scripting, so Internet Explorer will at least display a security complaint as soon as a web page attempts to instantiate a WSHShell object.
You see that WSHShell is a terribly dangerous component, only protected by a silly yes-no confirmation dialog box, and providing ultimate means to mess with the user's private environment. Devastating worms like ILoveYou and AnnaKournikova got their juice solely from WSHShell.
It's easy to understand that, since July 2000, WSHShell was seriously short winged in Microsoft applications, and even totally removed by some corporate administrators.
That's a pity, because WSHShell has quite a bit of potential in the hands of a responsible power user.
LaunchinIE is a safe alternative for the WSHShell control.
The idea is to move the security responsibility from the careless user to the administrator.
As you will see, LaunchinIE implements an elegant yet invisible security pattern, firmly shielding the raw power it's capable of.
I considered packaging the control in a convenient installer, but I realized that most intranet administrators have their own favorite scripts to quickly install software corporation wide.
On top of that, I think it's better to detail the steps, so you know what happens and know where to look when something goes wrong.
The Control LaunchinIE.DLL is compressed in a zip file for download (89K); the DLL can be copied to any spot desired on your hard drive. Most often, controls of this kind are put in the SYSTEM32 folder. You're free to choose though.
You need to tell your system where to find LaunchinIE. Every Windows system has REGSVR32.EXE to do this. It's a console application, most often found in the SYSTEM folder. Just pass LaunchinIE.dll as an argument. If you're a bit handy, you open SYSTEM and SYSTEM32 each in their own Explorer window, and drag the LaunchinIE.dll to REGSVR32.EXE. Easy.
A dialog box will tell that 'Dllregisterserver (...) succeeded'.
You need to create a key HKEY_LOCAL_MACHINE/SOFTWARE/RockinFewl/LaunchinIE/Approved.
In that key, you can define as many safe URLs as you desire. It's exactly the same approach as the one used by Internet Explorer in its security zones.
Name the values 'url1', 'url2', ... - start with 'url1'.
Only URLs that start the same as one defined here are serviced by LaunchinIE.
The registry is untouchable for malicious web pages, ONLY if you're careful enough to not allow them to use LaunchinIE. I can't stress enough: take time to define approved URLs in as much detail as possible.
LaunchApplication launches any command line you can come up with. Either in JavaScript or VBScript:
<script language="JavaScript">
function launchApp(strCmdLine)
{
var obj = new ActiveXObject("LaunchinIE.Launch");
obj.LaunchApplication(strCmdLine);
}
</script><script language="VBScript">
sub launchApp(strCmdLine)
dim obj
set obj = CreateObject("LaunchinIE.Launch")
obj.LaunchApplication strCmdLine
end sub
</script>
You can start the script by providing for instance this hyperlink:
<a
href="javascript:launchApp('c:\\windows\\notepad.exe c:\\autoexec.bat')">
Launch notepad!</a>ShellExecute is great to open files whereof you don't care to specify the associated application. It's similar to double-clicking the file in Explorer.
<script language="JavaScript">
function openDoc(strDoc)
{
var obj = new ActiveXObject("LaunchinIE.Launch");
obj.ShellExecute("open", strDoc);
}
</script><script language="VBScript">
sub openDoc(strDoc)
dim obj
set obj = CreateObject("LaunchinIE.Launch")
obj.ShellExecute "open", strDoc
end sub
</script>
You can start the script by providing for instance this hyperlink:
<a href="javascript:openDoc('document.doc')">
Open document.doc</a>This will open up Microsoft Word because .doc files are associated with Word.
ShellExecute works as described in the Microsoft documentation.
Note on Active Desktop
If you want to use hyperlinks to run the javascript function (as we did above) on Active Desktop, you need to add target="_self".
For instance:
<a href="javascript:openDoc('document.doc')" target="_self">Open document.doc</a>The issue was documented in Microsoft Knowledge Base Article Q185372, apparently no longer available online.
The location attribute was added for this purpose. It's used in the following scripts that show a message box with the URL as detected by the LaunchinIE control. Put a test page with this script on your trusted server and see which URL shows. You can now enter this URL literally in the registry as outlined in Step 3.
In JavaScript:
<script language="JavaScript">
var myLauncher = new ActiveXObject("LaunchinIE.Launch");
alert(myLauncher.location);
</SCRIPT>In VBScript:
<script language="VBScript">
set myLauncher = CreateObject("LaunchinIE.Launch")
MsgBox myLauncher.location
</script>URLs fit to put in the registry are for instance:
file:///C:/Documents%20and%20settings/ME/My%20documents/launch.htm http://intranet/sample/
LaunchinIE is powerful, so take care to not burn your fingers.
In the Registry Editor graphic, you notice 'url1: http://rocketfuel/test'. That means that all of the following pages are allowed to use LaunchinIE:
http://rocketfuel/test/index.html http://rocketfuel/test.htm http://rocketfuel/tEsT.asp http://rocketfuel/TESTme.htm http://rocketfuel/test4/whatever.htm
More than you suspected eh? To avoid confusion, it's a good idea to finish all URLs by a slash.
As of version 2.02, LaunchinIE displays error messages in Internet Explorer
Can not access registry entry with approved URL list. LaunchinIE didn't manage to read the approved URL list. Most often this is because you didn't add it correctly: the correct key is 'HKEY_LOCAL_MACHINE/SOFTWARE/RockinFewl/LaunchinIE/Approved'.
This page is unauthorized to create the LaunchinIE.Launch object. The URL as detected by LaunchinIE is not in the approved URL list. Use the 'location' attribute to see which URL is detected and put it literally (including all the slashes) in the registry. Also, take care to list the approved URLs in a continual way, starting with 'url1', then 'url2', 'url3',...
Optional argument 'vParameters' needs to be a string. The third argument of the ShellExecute method is optional. If you define it, it must be a string.
Optional argument 'vDirectory' needs to be a string. The fourth argument of the ShellExecute method is optional. If you define it, it must be a string.
As LaunchinIE grants service based on the calling URL, you have to make sure that there's absolutely no way a hacker can launch scripts from your domain. A minimal defense is fairly easy, as outlined in Microsoft's Prevent Cross-Site Scripting Security Issues article.
Have fun with LaunchinIE!
The Prevent Cross-Site Scripting Security Issues article tells how to stop hackers operating from your site. It's important for everyone, and very important if you plan to use LaunchinIE.
Meet the competition: IntraLaunch is a commercial solution that targets the same as Launch-in-IE, does even more, but so far I didn't discover any security mechanism. It's my firm belief that the detect-and-approve URL idea is one of the most essential parts of Launch-in-IE.
Additionally, Launch-in-IE is no doubt by far the leanest launcher control you'll find. Anywhere.
Released soon: LaunchinIE 3.
We acknowledge that configuration of LaunchinIE is a bit cumbersome, what may easily lead to frustration. To make everything easier and self configuring, yet still secure, we're working on LaunchinIE 3; a full fledged, unrivaled solution to easily start apps from a Web page. To be released soon. Watch the Web site's welcome page, or subscribe to our news letter to be timely notified.
DHTML Gems
Fine DHTML tricks that may save your day. (Script)
Fighting eZula
The Web author's war against contextual advertising. (Script)
Detecting TopText and Surf+
Detecting eZula TopText and Spedia Surf+ Enabled Browsers (Script)
The Revealing HTTP Headers
View HTTP server response headers and unprocessed HTTP content. (Tool)
Launch-in-IE
Web pages can start applications. Securely. (ActiveX)
Open Office from a Web Page
Override IE's default behaviour to open Office documents in the browser window. (Script)
ShellExe launches HTML files from AUTORUN.INF
A ShellExecute wrapper that delivers (Utility)
Stealth Browser-Server Conversations
Exchanging data with the server without a page refresh. (Script)
Whirly Wiry Web Today
News, mission, and more skinnies you might be interested in. (General)
Dockyard
Material in test. (-)
The Whirly Wiry Web is RockinFewl's test bed and showcase in one.
All content, code and graphics are entirely crafted at our own premises, but material can freely be reused if charming credit is given.
WhirlyWiryWeb.com, 2001-2006. Address comments to Rockin at WhirlyWiryWeb.com