IE的Killbit 技术详解

IE的Killbit 技术详解


介绍如何禁止 ActiveX 控件在 Microsoft Internet Explorer 和 Windows Internet Explorer 中运行。通过修改 ActiveX 控件类标识符 (CLSID) 的兼容性标志 DWORD 数据值，可以实现此目的。

注意：对于基于 Microsoft Windows XP 和基于 Windows Server 2003 的计算机，管理员可以使用软件限制策略来禁止 ActiveX 控件在 Active Directory 域环境计算机上的任何程序中运行。有关软件限制策略的更多信息，请访问下面的 Microsoft 网站：


这篇文章中的信息适用于:

    * Microsoft Internet Explorer 5.01 Service Pack 2
    * Microsoft Internet Explorer 5.01 Service Pack 3
    * Microsoft Internet Explorer 5.01 SP4
    * Microsoft Internet Explorer 5.5
    * Microsoft Internet Explorer 6.0
    * Microsoft Internet Explorer 6.0 Service Pack 1
    * Windows Internet Explorer 7 for Windows Server 2003 IA64
    * Windows Internet Explorer 7 for Windows XP
    * Windows Internet Explorer 7 for Windows Server 2003



Killbit 是IE用来禁止ActiveX 运行的技术， 其表现上是一个注册表设置，在


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\<CLSID>


Compatability=值


这个Compatability是一个REG_DWORD类型的bitmask，每一个bit 都有一定的含义，具体请见下表

OMPAT Enumerated Type

The following flags determine the behavior of registered Microsoft ActiveX controls.
以下标志决定了已注册的微软ActiveX 控件的行为。

Syntax
        typedef enum {
        COMPAT_AGGREGATE = 0x00000001,
        COMPAT_NO_OBJECTSAFETY = 0x00000002,
        COMPAT_NO_PROPNOTIFYSINK = 0x00000004,
        COMPAT_SEND_SHOW = 0x00000008,
        COMPAT_SEND_HIDE = 0x00000010,
        COMPAT_ALWAYS_INPLACEACTIVATE = 0x00000020,
        COMPAT_NO_SETEXTENT = 0x00000040,
        COMPAT_NO_UIACTIVATE = 0x00000080,
        COMPAT_NO_QUICKACTIVATE = 0x00000100,
        COMPAT_NO_BINDF_OFFLINEOPERATION = 0x00000200,
        COMPAT_EVIL_DONT_LOAD = 0x00000400,
        COMPAT_PROGSINK_UNTIL_ACTIVATED = 0x00000800,
        COMPAT_USE_PROPBAG_AND_STREAM = 0x00001000,
        COMPAT_DISABLEWINDOWLESS = 0x00002000,
        COMPAT_SETWINDOWRGN = 0x00004000,
        COMPAT_PRINTPLUGINSITE = 0x00008000,
        COMPAT_INPLACEACTIVATEEVENWHENINVISIBLE = 0x00010000,
        COMPAT_NEVERFOCUSSABLE = 0x00020000,
        COMPAT_ALWAYSDEFERSETWINDOWRGN = 0x00040000,
        COMPAT_INPLACEACTIVATESYNCHRONOUSLY = 0x00080000,
        COMPAT_NEEDSZEROBASEDDRAWRECT = 0x00100000,
        COMPAT_HWNDPRIVATE = 0x00200000,
        COMPAT_SECURITYCHECKONREDIRECT = 0x00400000,
        COMPAT_SAFEFOR_LOADING = 0x00800000
    } COMPAT;

Constants
常量

    COMPAT_AGGREGATE

        This control is aggregated.
        该控件是一个集合。

    COMPAT_NO_OBJECTSAFETY

        This control is not safe for scripting, even if it implements IObjectSafety.
        该控件对于脚本是不安全的，尽管其实现了IObjectSafety接口。

    COMPAT_NO_PROPNOTIFYSINK

        A property notify sink is not attached to this control.
        不隶属于该控件的属性通知接收器。

    COMPAT_SEND_SHOW

        For this control, IOleObject : : DoVerb is called with OLEIVERB_SHOW before IOleObject : : DoVerb is called with OLEIVERB_INPLACEACTIVATE.
        对于该控件，在使用OLEIVERB_INPLACEACTIVATE调用IOleObject : : DoVerb之前，用OLEIVERB_SHOW调用IOleObject : : DoVerb。

    COMPAT_SEND_HIDE

        For this control, IOleObject : : DoVerb is called with OLEIVERB_HIDE before IOleInPlaceObject :  : InPlaceDeactivate is called.
        对于该控件，在调用IOleInPlaceObject : : InPlaceDeactivate之前使用 OLEIVERB_HIDE调用IOleObject : : DoVerb。

    COMPAT_ALWAYS_INPLACEACTIVATE

        For this control, IOleObject : : DoVerb is called with OLEIVERB_INPLACEACTIVATE.
        对于该控件，使用OLEIVERB_INPLACEACTIVATE调用IOleObject : : DoVerb。

    COMPAT_NO_SETEXTENT

        The amount of space required by this control's container is not specified.
        未指定该控件容积所需空间数量。

    COMPAT_NO_UIACTIVATE

        This control cannot activate the user interface (UI) elements of the current document host.
        该控件不能激活当前文档宿主的用户界面元素。

    COMPAT_NO_QUICKACTIVATE

        This control does not implement IQuickActivate or should not be activated quickly.
        该控件没有实现IQuickActivate接口，或者不应被立即激活。

    COMPAT_NO_BINDF_OFFLINEOPERATION

        A cached version of this control is never used.
        该控件的隐藏版本从未被使用。

    COMPAT_EVIL_DONT_LOAD

        This control is never used.
        该控件从未被使用。

    COMPAT_PROGSINK_UNTIL_ACTIVATED

        This control cannot be used for scripting until in-place activation is complete.
        该控件在就地激活后方可用于脚本。

    COMPAT_USE_PROPBAG_AND_STREAM

        Both IPersistPropertyBag : : Load and IPersistStreamInit : : Load are called when using this control .
        使用该控件时，同时调用PersistPropertyBag : : Load 和IPersistStreamInit : : Load。

    COMPAT_DISABLEWINDOWLESS

        This control cannot be in-place activated without a window.
        该控件在没有窗口的情况下无法就地激活。

    COMPAT_SETWINDOWRGN
        
        This control cannot have UI outside of the window.
        该控件没有超出窗口范围的用户界面。

    COMPAT_PRINTPLUGINSITE

        This control has printing capabilities that should be used instead of those provided by Windows Internet Explorer.
        该控件用以代替Windows IE提供的打印功能。

    COMPAT_INPLACEACTIVATEEVENWHENINVISIBLE

        This control is in-place activated whether or not it is visible.
        无论其是否可见，该控件立即被激活。

    COMPAT_NEVERFOCUSSABLE

        This control can never receive focus.
        该控件从不获取焦点。

    COMPAT_ALWAYSDEFERSETWINDOWRGN

        This control is allowed to have, at most, one pending resize request.
        允许该控件至多有一个挂起的调整大小的请求。

    COMPAT_INPLACEACTIVATESYNCHRONOUSLY

        This control is in-place activated syncronously.
        该控件被同步激活。

    COMPAT_NEEDSZEROBASEDDRAWRECT

        This control is positioned in the upper-left corner of the host window.
        该控件被置于主窗口的左上角位置。

    COMPAT_HWNDPRIVATE

        This control does not provide access to its window handle.
        该控件不提供对其窗口句柄的访问。

    COMPAT_SECURITYCHECKONREDIRECT

        This control is prevented from accessing content from another domain when redirected by the original server.
        当原服务端重定向时，阻止该控件访问来自于另一个域的内容。

    COMPAT_SAFEFOR_LOADING

        Internet Explorer 7 and later. In the Internet zone, Internet Explorer checks every control for IObjectSafety to determine safety status quickly and abort instantiation as soon as possible. If a particular control doesn't implement IObjectSafety or component categories yet still needs to be instantiated in Internet Explorer without data or scripting, this compatibility flag can be used to disable the frontloaded safety check and revert back to Microsoft Internet Explorer 6 behavior. See Safe Initialization and Scripting for ActiveX Controls.
        IE7及更高版本。在互联网区域，IE为IObjectSafety核查每一个控件以快速判断安全状态并尽快中止实例化。如果某一个特殊的控件不能实现IObjectSafety接口或者在无数据或者叫本的IE中组件类别仍需要进行实例化，那么这个兼容性标志可用来禁用先前加载的安全核查并恢复至MicrosoftIE6行为。查看对于ActiveX控件的安全初始化及脚本。

Remarks
备注

    These enumeration members are bit masks that determine how ActiveX controls are used in Internet Explorer. Values are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility .

   这些枚举常量是决定ActiveX控件如何被应用于IE中的二进制掩码。值存储于以下注册表位置，HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility。

Enumerated Type Information
枚举类型信息

    Minimum availability        Internet Explorer 4.0
    最低可用性
    Minimum operating systems        Windows NT 4.0, Windows 95
    最低版本操作系统


当0x400 那bit被设置的时候，该ActiveX 就会被IE彻底屏蔽。 我们把这个bit 称之为kill bit， 于是就有了killbit 这个技术名称


例子：比如你想屏蔽一个GUID为{ABCDEF12-ABCD-ABCD-ABCD-ABCDEF123456} 的activex 控件，可以设置注册表：


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ABCDEF12-ABCD-ABCD-ABCD-ABCDEF123456}


Compatability=400  

（以上400是16进制，10进制就设成1024）