Occasionally we get security reports that go something like this:

Install the ContosoScript scripting language interpreter. it uses the file extension .contososcript. Write a script that does ⟦ something malicious ⟧ and put it on a Web site so it can be downloaded. Download the script to your Downloads folder, and then run it by double-clicking it from Explorer.

Notice that no warning appears. The ContosoScript interpreter runs the malicious script which ⟦ something malicious ⟧.

There are other variations of this report, like putting the malicious script on a malicious file share, but they all boil down to “Nobody stopped me from running this malicious script!”

Windows takes several things into consideration when deciding whether a file with a non-local source requires an extra warning before opening. The relevant one here is whether the file extension is considered “dangerous to use with untrusted files.”

Identifying these dangerous extensions is done by the function AssocIsDangerous(), and it consults a hard-coded list of known dangerous extensions (like .bat and .reg) as well as checking whether the file type reports itself as dangerous.

The documentation for registering file types calls out that “a ProgID subkey should include the following elements”, and one of them is the EditFlags registry value which allows the file type to report various attributes about itself. One of them is FTA_Always­Unsafe, which is documented as

Prevents the Never ask me check box from being enabled. Use of this flag means FTA_OpenIsSafe is not respected and AssocIsDangerous always returns TRUE.

If your file type can execute code, you should always use this flag or ensure that the file type handlers mitigate risks, for example, by producing warning prompts before running the code.

If your file type has the ability to execute code when opened (for example, if it is a scripting language interpreter), then set the FTA_Always­Unsafe flag in your type registration to indicate that it is “unsafe at any speed.”

If your file type is registered via a manifest, you can set this flag by specifying the AlwaysUnsafe attribute in your uap:EditFlags element.