How do I prevent users from opening TIF files?


A customer had a question about their Windows XP installations. (This question was from several years ago, so the fine details aren't really relevant any more, but I'm actually telling this story for a commentary opportunity.)

The customer wanted to disable all file associations for TIFF files. Their first attempt was by deleting HKEY_CLASSES_ROOT\.tif and HKEY_CLASSES_ROOT\.tiff. This successfully renders TIFF files with a generic document icon, but when the user double-clicks the file, the registration is re-established and Windows Picture and Fax Viewer opens the file.

The company had some strange company security policy that says that TIFF files should not have any file association. I don't know the rationale behind it, but they did say that they only needed to block the default file association. If the user explicitly creates a new association via the Open With dialog, then that is not covered by the policy.

Deleting the registrations doesn't work because Windows XP has an autorepair feature for certain commonly-corrupted file associations, and TIFF is one of them. If the TIFF registration is corrupted and the user is a member of the Administrators group, then Windows XP will restore the default association. (If the user is not a member of the Administrators group, then the usual "Windows cannot open this file" dialog box appears.)

Therefore, the solution to the customer's odd problem is not to delete the TIFF registrations (which causes them to be detected as corrupted) but rather to simply set a new default handler for TIFF files that merely displays a message to the user. If you're willing to use the Windows Script Host, then it's a one-line program:

WScript.Echo("TIFF file associations are disabled.")

If you have been reading carefully, you have already noticed a serious problem with the customer's configuration: The fact that they are seeing the TIFF autorepair code kicking in means that they are letting their employees run with Administrator privileges, which means that their so-called "security requirement" is like worrying about employees being able to sneak into the building through a ventilation grating, when you give everybody a key to the front door.

Comments (30)
  1. SimonRev says:

    Am I the only one wondering what did the poor tiff filed do to the customer so that they didn't want people to (easily) view them?

  2. Dan Bugglin says:

    Probably scared due to an exploit in some application they were using that associated with TIFFs.

    Yeah this is a case where it would be nice to know what the customer's ACTUAL problem is before deciding on a solution.

  3. Anonymous says:

    Maybe a security problem with the viewer, maybe the extension was another one and they didn't want to explain.

  4. Anonymous says:

    I do love "lock the windows but not the doors" security measures.

  5. Anonymous says:

    The real problem here is a separation between creation of company policy and its implementation.

    Those who created the policy didn't understand its consequences.

    Those who implemented the policy didn't understand its purpose.

  6. Anonymous says:

    Perhaps the employee analogy is quite apt. There are plenty of reasons I wouldn't want employees (even trusted ones) from sneaking around in ventilation shafts, but few reasons I wouldn't want them all to have a key to the front door.

  7. Anonymous says:

    Maybe they saved their Highly Confidential documents as tiff and the not so confidential ones as bmp or jpeg, so they had to make sure that only qualified employees could see the tiffs :) Security by obscurity.

  8. Anonymous says:

    Well, maybe it's not really a security requirement, since policy allows them to set their own associations; maybe it's just a handy reminder to think about what they're doing when they do so.  It's a speedbump at the entrance to the carpark so people slow down and don't dent anyone else's car, not a lock on the front door.

  9. Anonymous says:

    I suppose that you could break Windows' auto-repair by explicitly putting deny-all write permissions on the registration keys, but I don't see any good coming from that method. Tinkering with system internals is rarely a good thing.

    It's a pretty silly restriction anyways, because most image viewers don't care about the file extension (try renaming a JPEG to .BMP and it will probably open just fine!)

  10. Anonymous says:

    worrying about employees being able to sneak into the building through a ventilation grating, when you give everybody a key to the front door.

    All security policies at companies and organisations I've worked for were like that I'm afraid. Not to mention the fact that in two independent instances the user password was [ company name + same suffix ] for all users and couldn't be changed due to self-contradictory password policies. Yes, my account was a developer account that had more access than the regular admin accounts.

  11. Anonymous says:

    @ErikF: "I suppose that you could break Windows' auto-repair by explicitly putting deny-all write permissions on the registration keys […]"

    No, because then the autorepair feature for the registry kicks in and resets those permissions.

    Well, not really, but you can see how this could be escalated.

    I'm a little surprised I'm the first one to ask this question: why did people feel the need for an autorepair feature for associations in the first place, and why was .TIFF included in the list? I'm guessing users aren't expected to delete these associations by accident, so perhaps broken programs did so. I smell a good story.

  12. Anonymous says:

    @JM, it's quite common to install a program that handles extensions that another installed program already handles, so the new program might take over images or web pages from the program that previously handled them.  Usually(?) it will prompt before doing so, though this may have been less common formerly.  If you then uninstall the new program, has it kept a record of the original file associations?  If not, it will presumably either delete them or (worse perhaps) leave them associated with a now-uninstalled program.

  13. Anonymous says:

    why did people feel the need for an autorepair feature for associations in the first place, and why was .TIFF included in the list? I

    Because there are so many ill-mannered applications out there – association destruction is not uncommon.

    The usual offenders are 'media' viewers, each one of which thinks it is gods own answer to life, the universe, and everything.  Or at least everything containing image, audio, or movie content.

  14. The usual offenders are 'media' viewers, each one of which thinks it is gods own answer to life, the universe, and everything.  Or at least everything containing image, audio, or movie content.

    "Wow! If I pass an image file to DirectShow, it will render its content to the display surface! Let's associate by default the BMP, GIF, JPG, PNG and TIF extensions to our Super Amazing Hyper Media Player, and pretend it is a picture viewer! It doesn't matter that it takes 20 seconds and 500 MB of RAM to launch – the user will be amazed!" Yes, s/he will be, definitely. But not in a good way :-( .

    And then, people wonder how my Atom netbook boots in 28 seconds while their amazing quad core i7 desktop boots in a little over four minutes…

  15. @dave: It's not always entirely the apps fault. If they obligingly saved the user's previous associations and the user then goes and uninstalls that old app (because their new picture viewer is teh awesome!) then restoring them on uninstall isn't any better tham never backing them up in the first place. The whole process of managing what installed apps can and can't open certain file types and what they default to on uninstall is something better left to the OS. Thankfully Windows 8 seems to be doing more to ensure this.

  16. chentiangemalc says:

    Raymond have you ever considered what drives IT admins to lock windows but not doors. Baffles me, but see this practice all the time. I.e. "I'll block explorer to show C:, disable task manager, disallow CMD line access, disable regedit, and add you into local Administrators group." ?!?!?

  17. We need to do something about the TIF vulnerability.

    Sabotaging the association is something.

    Therefore, we need to sabotage the association.

  18. Anonymous says:

    Can't IT create and install auto-run SYSTEM service that constantly monitors the relevent registry keys and deletes them whenever they re-appear. Duh.

  19. hacksoncode says:

    I have a sneaking suspicion I know why they would want to disable viewing of TIFF files… once upon a time, TIFF was the only format in which patent images were available. Lots of companies have default policies against employees reading patents unless they *really* need to.

    Either that or someone implemented a static Snow Crash virus and was faxing it with automatic forwarding to people's email.

  20. Wisefaq says:

    Natively, Windows XP did not support viewing of TIF files, as Kodak Imaging for Windows was not included in WinXP. (kb308979).  I know this as it was a one of the major issues that was preventing a 20,000+ WinXP deployment for one of my customers.

    My customer had a corporate accounting package which stored scanned (from paper copy) invoices.  The customer could view the invoice by pressing a button, and Kodak Imaging would load.  The invoices  were stored in TIF format.

    "Worked with Windows 2000, but not in WinXP!  You can't deploy WinXP until you fix it."

    Our Microsoft Technical Account Manager helped us out by providing us with something called 'Windows XP Professional Direct CD Imaging Control'.  It worked a treat.

  21. cheong00 says:

    @Wisefaq: Once upon a time, I worked for some company as inhouse developer. The accountant need a program that requires Kodak Imaging automation to work, but have a new WinXP PC installed about 1 month ago. In the end, I found the old Win2000 installation disk, found the INF file and the files listed in the INF and copied to the accountant's machine, right click the INF and install. It fixes her problem.

  22. Anonymous says:

    It makes you wonder whether file associations should be stored in a stack. Say the following happens:

    (1) Program 'A' associates with BMP. BMP association stack = {A}.

    (2) Program 'B' steals that file association. Stack now = {A,B}.

    (3) Program 'C' steals it! Stack = {A,B,C}.

    (4) Program 'B' is uninstalled. 'B's uninstaller removes all of 'B's entries in all file association stacks. BMP stack now = {A,C}.

    (5) Program 'C' is uninstalled. 'C's uninstaller removes all of 'C's entries in all file association stacks. BMP stack now = {A}.

    Voila! Despite the out of order uninstalls, BMP's have now correctly reverted to opening in the last still-present program that associated with them.

    Yes? No?

  23. Anonymous says:

    Surprised nobody's mentioned this, instead of assuming some terrible kind of anti-security to protect poorly protected files. Maybe the company used some other program that saved its files as .TIF (e.g. "Truetech Information Files") and people without the app installed (because of licensing issues) were opening them with the default .TIF viewer and corrupting the files? Seems more likely.

    As for why IT would want to stop people sneaking in through ventilation shafts when everyone has a front door key – sometimes auditing access is critical, even when everyone has access.

  24. cheong00 says:

    @Wisefaq: I don't think that'd be any legal issue as long as you have license sticker of Win2000 on that box. As the press release of removal of Kodak Imaging said, you're allowed to continue using it if you upgrade it from Win2000, I think as long as you fulfilled the licensing condition of a Win2000 to WinXP upgrade, there shouldn't be problem.

  25. Anonymous says:

    @Wisefaq XP uses the Windows Picture and Fax viewer (faxes being the primary source of .TIF files in my experience).

    I've not seen the auto-repair feature in action, instead I get a semi-automatic repair. I have to right-click the .TIF file and choose Properties (not so easy when the .TIF file is an attachment in a fax-to-email message) and then where it says "Opens With: Unknown [Change]" I click Change and then the repair kicks in – so I can actually cancel the change, so to speak.

  26. Wisefaq says:

    @cheong00

    Being well aware we could *technically* do that, we were not licensed to do so.  Which we confirmed with Microsoft at the time.  And it was a solution which wouldn't scale either.

    ie. the "new" owner of Kodak Imaging at that time (eiStream), probably wouldn't have cared if we did what you suggested  for 1 desktop, but for 20,000 desktops, my customer and I would have been a good target for ligation over license violations.

  27. Anonymous says:

    The simplest solution is to fix the stupid company security policy. But to some people it is obviously more preferable to let thousands suffer than to admit a mistake.

  28. Anonymous says:

    I think it's safe to say the people who implement the policy don't care and think it's stupid to do it too, but if it's coming from higherup you just follow orders, so you implement it, no matter how stupid it is..

  29. Anonymous says:

    Maybe the customer was using Small Business server 2003, you know, the Microsoft product that requires all users to be administrators on their own machines?

    [Wait, you're saying that the customer set up each employee to log into the central server for normal day-to-day activities? I think I found the problem. -Raymond]
  30. @wisefaq:  What exactly was "Windows XP Professional Direct CD Imaging Control"?  I searched Google and all I could find is your blog…

Comments are closed.