Problem Viewing CHM Files on Network Drives.

After applying the latest security updates, we are finding that all "CHM"
files viewed from a network drive are having problems. The following
screen displays in the text area.

Action canceled
Internet Explorer was unable to link to the Web page you requested.
The page might be temporarily unavailable.

--------------------------------------------------------------------------

Please try the following:

a.. Click the Refresh button, or try again later.

b.. If you have visited this page previously and you want to view
what has been stored on your computer, click File, and then click Work
Offline.

c.. For information about offline browsing with Internet Explorer,
click the Help menu, and then click Contents and Index.




Internet Explorer



---

To duplicate this problem, copy c:\windows\help\wmplayer.chm to a network
device, and try to view the CHM file. The table of contents works
properly.

Luis I. Gomez wrote:

> After applying the latest security updates, we are finding that
> all "CHM" files viewed from a network drive are having problems.
> The following screen displays in the text area.
>
> Action canceled
> Internet Explorer was unable to link to the Web page you
> requested. The page might be temporarily unavailable.
> (snip)
Hi,

This is caused by the security update KB896358 (MS05-026: A
vulnerability in HTML Help could allow remote code execution)


Importing the following registry file will solve the problem as long
as your network drive is defined as "Local intranet zone" (it should
be).

The setting above will Local Machine zone, Local intranet zone, and
Trusted sites zone.

--------------------8<----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000002

--------------------8<----------------------

More about this registry setting here:

http://support.microsoft.com/kb/896358

and here:
http://support.microsoft.com/kb/896054



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Thank you for you solution.

I must say that this particular issue is making me re-think my strategy of
using Microsoft Html Help Workshop.

A security buletin was posted on 6/14, and a Security update on 6/15 that
single handedly caused every network based application that relied on CHM or
HTMLHELP documents to suddenly fail. This resulted in a huge influx to our
help center along with the task to re-designing our documentation strategy.

I suppose that it may seem reasonable to simply go to the registry and apply
the changes, but this is something that must be done on tens of thousands of
systems at around 1,000 sites.

Essentially with one days notice, it has been decreed that network based
documentation is no longer appropriate.

As I understand the situation, it has been decided that HTML documents
coantained within a CHM file stored on a network device pose a security
threat, and represent a danger to the system. This seems to be the most
basic of CHM functionality.

If I understand the intent of this update, it is expected that we install
several gigabytes of CHM files on each of hundreds of workstations in order
to provide our manual to our users at a particular installation. We then
need to make certain that these manuals are updated on the local systems.
I suppose an alternative is to copy a particular document to the local hard
disk before displaying it.

Luis

Luis I. Gomez wrote:
> Thank you for you solution.
>
> I must say that this particular issue is making me re-think my strategy of
> using Microsoft Html Help Workshop.
>
> A security buletin was posted on 6/14, and a Security update on 6/15 that
> single handedly caused every network based application that relied on CHM or
> HTMLHELP documents to suddenly fail. This resulted in a huge influx to our
> help center along with the task to re-designing our documentation strategy.
>
> I suppose that it may seem reasonable to simply go to the registry and apply
> the changes, but this is something that must be done on tens of thousands of
> systems at around 1,000 sites.
> (snip)
Hi,

If this is computers in an Active Directory domain:

You can push out that registry value with a GPO using a custom
administrative template ("tattooing" the registry on the clients):

HOW TO: Create Custom Administrative Templates in Windows 2000
http://support.microsoft.com/?kbid=323639

225087 Writing Custom ADM Files for System Policy Editor
http://support.microsoft.com/?kbid=225087

Implementing Registry-Based Group Policy
go.microsoft.com/fwlink/?LinkId=28188

Implementing Registry-based Policy [Group Policy]
http://msdn.microsoft.com/library/en-us/policy/policy/implementing_registry_based_policy.asp


You might be interested in the free PolicyMaker Registry Extension
as well:
http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

I too hit the "Action Canceled" problem with Compiled HTML Help (CHM) files
after deploying the recent security updates (MS04-023, MS05-001 and MS05-
026).

As we have many applications that access CHM files from network drives I
created a custom administrative template (ADM) to deploy the required
registry settings to our workstations. This is a much more elegant and
flexible solution than the batch file method suggested in the KB articles.

Here is my template - no warranty implied or given, use it at your own risk
etc.


CLASS MACHINE

CATEGORY "HTML Help Security Updates"

POLICY "HTML Help ActiveX Maximum Allowed Zone"
KEYNAME "SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions"
EXPLAIN "Security updates MS05-026 and MS05-001 include changes
that restrict the HTML Help ActiveX control by zone."
PART "Select the maximum allowed zone for HTML Help ActiveX:"
DROPDOWNLIST
VALUENAME MaxAllowedZone
ITEMLIST
NAME "Local Machine" VALUE NUMERIC 0 DEFAULT
NAME "Local Intranet" VALUE NUMERIC 1
NAME "Trusted Sites" VALUE NUMERIC 2
NAME "Internet" VALUE NUMERIC 3
NAME "Restricted Sites" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY

POLICY "HTML Help InfoTech Protocol Maximum Allowed Zone"
KEYNAME "SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions"
EXPLAIN "Security updates MS05-026 and MS04-023 include changes
that restrict the HTML Help InfoTech protocol by zone."
PART "Select the maximum allowed zone for HTML Help InfoTech:"
DROPDOWNLIST
VALUENAME MaxAllowedZone
ITEMLIST
NAME "Local Machine" VALUE NUMERIC 0 DEFAULT
NAME "Local Intranet" VALUE NUMERIC 1
NAME "Trusted Sites" VALUE NUMERIC 2
NAME "Internet" VALUE NUMERIC 3
NAME "Restricted Sites" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY

END CATEGORY


Leigh Haynes
Computing Services
University of Lincoln