How do I prevent users from opening TIF files?

Raymond Chen

A customer had a question about their Windows XP installations. (This question was from several years ago, so the fine details aren’t really relevant any more, but I’m actually telling this story for a commentary opportunity.)

The customer wanted to disable all file associations for TIFF files. Their first attempt was by deleting HKEY_CLASSES_ROOT\.tif and HKEY_CLASSES_ROOT\.tiff. This successfully renders TIFF files with a generic document icon, but when the user double-clicks the file, the registration is re-established and Windows Picture and Fax Viewer opens the file.

The company had some strange company security policy that says that TIFF files should not have any file association. I don’t know the rationale behind it, but they did say that they only needed to block the default file association. If the user explicitly creates a new association via the Open With dialog, then that is not covered by the policy.

Deleting the registrations doesn’t work because Windows XP has an autorepair feature for certain commonly-corrupted file associations, and TIFF is one of them. If the TIFF registration is corrupted and the user is a member of the Administrators group, then Windows XP will restore the default association. (If the user is not a member of the Administrators group, then the usual “Windows cannot open this file” dialog box appears.)

Therefore, the solution to the customer’s odd problem is not to delete the TIFF registrations (which causes them to be detected as corrupted) but rather to simply set a new default handler for TIFF files that merely displays a message to the user. If you’re willing to use the Windows Script Host, then it’s a one-line program:

WScript.Echo("TIFF file associations are disabled.")

If you have been reading carefully, you have already noticed a serious problem with the customer’s configuration: The fact that they are seeing the TIFF autorepair code kicking in means that they are letting their employees run with Administrator privileges, which means that their so-called “security requirement” is like worrying about employees being able to sneak into the building through a ventilation grating, when you give everybody a key to the front door.


Discussion is closed.

Feedback usabilla icon