Browsium

Browsium Blog

Let’s Get Technical: Overriding Registry Keys with Ion, and Killbits Too

Posted by: Browsium Posted date:

One of the many powerful features in Ion is our Custom Registry Manager, which allows you to override any key in the registry with new values, but only for the web applications that need those custom settings.

We can isolate custom registry keys to a specific Ion Profile, meaning that you can use Ion to customize the registry environment for your web applications but prevent those settings from affecting other applications or Windows or Internet Explorer in general.

By default, Ion Profiles load all the same settings from the registry as the host IE8/IE9 browser, which is typically what you want but through Ion you can change that behavior when required. Any settings that is controlled through the registry can be managed this way, including proxy settings, security settings and ActiveX behavior. If there’s a registry key for it, we can override it with a new value.

Once again, this means you can maximize the compatibility of your browser environment while retaining a high level of security.

One way this is useful is to override ActiveX killbits. Make no mistake: this is advanced stuff and not recommended for any customer who doesn’t thoroughly understand the implications of reviving a control that’s been killed by Microsoft, but it is possible and can be done (through Ion) in a way that’s more isolated than otherwise.

First, some background: Killbits are a way for Microsoft to mark poorly-behaved and insecure ActiveX controls as persona non grata to the browser. If a control has shown that it has serious security flaws that can not be easily fixed, Microsoft prevents that control from loading by setting a key in the registry. The registry setting that does this is called a “killbit.” Internet Explorer will simply refuse to load any control marked that way. You can begin your reading on Internet Explorer killbits with this article. Microsoft will occasionally kill 3rd party ActiveX controls, but only when the 3rd party vendor is in agreement with the decision.

We do not recommend overriding killbits without fully understanding why the specific control was shut down in the first place. In most cases, Microsoft recommends re-writing your application to use a newer ActiveX control instead (and in those cases, you may want to use our “String Replacement Manager” feature as an alternative). When this is not possible, and the security risk and compatibility impact of the ActiveX control is fully understood, you can use Ion to allow a given ActiveX control to run, but only for the specific Ion Profile in question. Please note that in some cases, the security flaw of an ActiveX control may be so egregious that even allowing it to run for one specific website may not be an acceptable solution from a security point of view, so consider this option carefully.

To help those of you who’d like to tweak the registry for application compatibility, I’ve posted two new KB articles to our support site. The first, “Setting a custom registry value with Ion” goes into detail about how the feature works in general and what syntax is required in the Ion Configuration Manager to successfully override any registry setting.

The second article, “Overriding an ActiveX killbit using Ion’s Custom Registry Manager” goes into detail about what ActiveX killbits are and how to override them through Ion.

-Christopher

  • Share:  
 

Recent Posts

Browser management suite 4.4 now available
Posted on: November 29, 2017
Edge-ing closer to enterprise ready
Posted on: November 20, 2017
Heating up browser competition – Firefox Quantum
Posted on: November 15, 2017