Nov 252018

When defining the policy “Default Associations Configuration File” with an XML definition file, users are still able to use the “Open with…” command in the context menu and set their own file type association. This is by design. One solution to enforce the FTA at logon is to use the “SetUserFTA” software from Christoph Kolbicz’s Blog. Another way is to detect and remove user defined File Type Associations in the registry via a script. The registry key is locked down with a “Deny” access control set to everyone including the Administrators. The following script will remove the “Deny” access control, and then proceed to the deletion of the user defined file type association. This script runs at logon and at logoff and have been tested successfully.

# REMOVE HKCU File Type Association
# in addition to OEMDefaultAssociation.xml
Function RegACL-Reset
$hkey = 2147483649 
$reg = [wmiclass]"root\default:StdRegProv"
$ace = $reg.GetSecurityDescriptor($hkey,$hsubkey).Descriptor.DACL
$reg.psbase.Scope.Options.EnablePrivileges = $true
$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$sd.ControlFlags = 0x0004
for($i=0;$i -lt $ace.length;$i++)
 if($ace[$i].AceType -ne 1)
  $SD.dacl += $ace[$i] 

# .XML - Remove user defined .XML file type association
$testreg = Test-Path -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml
if ($testreg -eq $true){
#$hsubkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
RegACL-Reset -hsubkey "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
Remove-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml" -Force -Recurse

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



This site uses Akismet to reduce spam. Learn how your comment data is processed.