Is it wrong to call SHFileOperation from a service?

Raymond Chen

A customer had a simple question: “Is it wrong to call SHFile­Operation from a service?”

I don’t know if I’d call it wrong, but I’d call it highly inadvisable.

• SHFile­Operation was designed for interactive operations, so you’re using it outside its original design parameters.
• Many shell extensions ignore “no UI” flags and put up UI anyway. As a result, your call to SHFile­Operation may end up getting stuck on unexpected UI. Now you have a service displaying UI, and that’s just asking for trouble.
• The shell for the most part does not expect to be called while impersonating. There are a few functions specifically designed for use while impersonating; those exceptions are called out explicitly in their respective documentation. SHFile­Operation is not one of those functions.
• Since SHFile­Operation uses the shell namespace, you are at risk of loading shell extensions into a service. Shell extensions typically are not written with the strict security requirements of a service in mind, and you may end up creating a security hole. Somebody could plant a desktop.ini into a directory your service operates on, and now your service has been tricked into loading a shell namespace extension. The bad guys are constantly searching for buggy shell extensions that they can use as an attack point. And if they can get into a service, well, then they just hit the jackpot!

Update: See Is it wrong to call SHFileOperation from a service? Revised.

Raymond Chen

Follow