none
new ActiveXObject("Scripting.FileSystemObject") failing in IE8

    Question

  • I have enabled every possible scripting, ActiveX, and unsigned content setting possible in IE8.  I have run regsvr32 scrrun.dll.  A nag bar annoys me from the top of the IE8 window that my security settings have put my computer at risk.  Still, when I attempt to execute one line of code (which ran no problem in IE7) to export an XML file to the local disk, IE8 prohibits this, stating "Error on page" and when I open the error details, it tells me "Automation server can't create object".  How can I get IE8 to allow this behavior?


    Error details:
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Timestamp: Wed, 30 Dec 2009 13:46:30 UTC


    Message: Automation server can't create object
    Line: 1032
    Char: 2
    Code: 0
    URI: http://localhost:7001/cis/dictation/AnyModalCaptureCtrl.js


    Wednesday, December 30, 2009 1:48 PM

Answers

  • There is no killbit for the FileSystemObject on Vista x64, the following key is missing completely:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D43FE01-F093-11CF-8940-00A0C9054228}

    It doesn't exist for the x32 bit version of IE, nor does it exist for the x64 version of IE.

    So why does the FileSystemObject work on WinXP SP3 IE6 without a hitch, yet nags us on Vista IE7 with the "unsafe activex control" message? Because it's not marked as safe. Allowing unsafe activex to run in the internet zone sux, so we make an exception just for this particular object.

    And how do we mark a control as safe? Well, here's the answer, thanx to MS:

    http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories]

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]


    Note, you may need to use a different key depending on your OS and Explorer version, the sample above is for Vista x64bit.

    I don't know about Win7/IE8, since I haven't installed either (yet).

    Changing the registry obviously only removes the nag for YOUR computer, so this is not intended for public websites, it's just for people who want to use activex to extend the capabilities of their own browser. You can call activex through bookmarklets, like this:

    javascript:(function(){var script=document.createElement('script'); script.src='http://Local.ptron/Surf+.js'; document.getElementsByTagName('HTML')[0].appendChild(script);})()

    The script points to a jscript/vbscript file on a local server, which then calls the acxtivex object.

    Here's another thing - Avoid using the file protocol in bookmarklets, IE7 doesn't like that (another security limitation, thanx MS!). Instead point IE to some local server, IIS or something

    • Marked as answer by Alexxandra Tuesday, January 26, 2010 3:27 PM
    Sunday, January 10, 2010 2:55 PM

All replies

  • It should fail in all current version of IE and Office because Microsoft blocked it with a killbit. Visit the microsoft.public.internetexplorer.security newsgroup for details about killbits.

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Wednesday, December 30, 2009 7:04 PM
  • Thank you for that information. 

    Is there any way to get around this, such as unsetting this bit in the registry?  Or, is there a new, preferable way to write text files to the local filesystem from IE8? 

    I read the article here: http://support.microsoft.com/default.aspx/kb/240797 but that did not help much as far as how to re-enable the Scripting.FileSystem activeX component...

    Thank you!
    Wednesday, December 30, 2009 7:34 PM
  • If you can somehow unsetting this kill bit from your web site, that would be a security breach. 
    The preferred way to write to local file system is file downloading that let the user know there is a file download and can choose where to save.  To automatic this process requires writing a browser extension such as ActiveX or BHO.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Wednesday, December 30, 2009 8:29 PM
  • There is no killbit for the FileSystemObject on Vista x64, the following key is missing completely:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D43FE01-F093-11CF-8940-00A0C9054228}

    It doesn't exist for the x32 bit version of IE, nor does it exist for the x64 version of IE.

    So why does the FileSystemObject work on WinXP SP3 IE6 without a hitch, yet nags us on Vista IE7 with the "unsafe activex control" message? Because it's not marked as safe. Allowing unsafe activex to run in the internet zone sux, so we make an exception just for this particular object.

    And how do we mark a control as safe? Well, here's the answer, thanx to MS:

    http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories]

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

    [HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]


    Note, you may need to use a different key depending on your OS and Explorer version, the sample above is for Vista x64bit.

    I don't know about Win7/IE8, since I haven't installed either (yet).

    Changing the registry obviously only removes the nag for YOUR computer, so this is not intended for public websites, it's just for people who want to use activex to extend the capabilities of their own browser. You can call activex through bookmarklets, like this:

    javascript:(function(){var script=document.createElement('script'); script.src='http://Local.ptron/Surf+.js'; document.getElementsByTagName('HTML')[0].appendChild(script);})()

    The script points to a jscript/vbscript file on a local server, which then calls the acxtivex object.

    Here's another thing - Avoid using the file protocol in bookmarklets, IE7 doesn't like that (another security limitation, thanx MS!). Instead point IE to some local server, IIS or something

    • Marked as answer by Alexxandra Tuesday, January 26, 2010 3:27 PM
    Sunday, January 10, 2010 2:55 PM