#include "shellprv.h" #pragma hdrstop // this makes sure the DLL for the given clsid stays in memory // this is needed because we violate COM rules and hold apparment objects // across the lifetime of appartment threads. these objects really need // to be free threaded (we have always treated them as such) STDAPI_(HINSTANCE) SHPinDllOfCLSIDStr(LPCTSTR pszCLSID) { CLSID clsid; SHCLSIDFromString(pszCLSID, &clsid); return SHPinDllOfCLSID(&clsid); } // translate string form of CLSID into binary form STDAPI SHCLSIDFromString(LPCTSTR psz, CLSID *pclsid) { *pclsid = CLSID_NULL; if (psz == NULL) return NOERROR; return GUIDFromString(psz, pclsid) ? NOERROR : CO_E_CLASSSTRING; } BOOL _IsShellDll(LPCTSTR pszDllPath) { LPCTSTR pszDllName = PathFindFileName(pszDllPath); return lstrcmpi(pszDllName, TEXT("shell32.dll")) == 0; } HKEY g_hklmApprovedExt = (HKEY)-1; // not tested yet // On NT, we must check to ensure that this CLSID exists in // the list of approved CLSIDs that can be used in-process. // If not, we fail the creation with ERROR_ACCESS_DENIED. // We explicitly allow anything serviced by this DLL BOOL _IsShellExtApproved(LPCTSTR pszClass, LPCTSTR pszDllPath) { BOOL fIsApproved = TRUE; ASSERT(!_IsShellDll(pszDllPath)); #ifdef FULL_DEBUG if (TRUE) #else if (SHRestricted(REST_ENFORCESHELLEXTSECURITY)) #endif { if (g_hklmApprovedExt == (HKEY)-1) { g_hklmApprovedExt = NULL; RegOpenKey(HKEY_LOCAL_MACHINE, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved"), &g_hklmApprovedExt); } if (g_hklmApprovedExt) { fIsApproved = SHQueryValueEx(g_hklmApprovedExt, pszClass, 0, NULL, NULL, NULL) == ERROR_SUCCESS; if (!fIsApproved) { HKEY hk; if (RegOpenKey(HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved"), &hk) == ERROR_SUCCESS) { fIsApproved = SHQueryValueEx(hk, pszClass, 0, NULL, NULL, NULL) == ERROR_SUCCESS; RegCloseKey(hk); } } } } #ifdef FULL_DEBUG if (!SHRestricted(REST_ENFORCESHELLEXTSECURITY) && !fIsApproved) { TraceMsg(TF_WARNING, "%s not approved; fortunately, shell security is disabled", pszClass); fIsApproved = TRUE; } #endif return fIsApproved; } STDAPI_(BOOL) IsGuimodeSetupRunning() { DWORD dwSystemSetupInProgress; DWORD dwMiniSetupInProgress; DWORD dwType; DWORD dwSize; dwSize = sizeof(dwSystemSetupInProgress); if ((SHGetValueW(HKEY_LOCAL_MACHINE, L"SYSTEM\\Setup", L"SystemSetupInProgress", &dwType, (LPVOID)&dwSystemSetupInProgress, &dwSize) == ERROR_SUCCESS) && (dwType == REG_DWORD) && (dwSystemSetupInProgress != 0)) { // starting w/ whistler on a syspreped machine the SystemSetupInProgress will be set EVEN AFTER guimode setup // has finished (needed for OOBE on the boot after guimode finishes). So, to distinguish the "first-boot" case // from the "guimode-setup" case we check the MiniSetupInProgress value as well. dwSize = sizeof(dwMiniSetupInProgress); if ((SHGetValueW(HKEY_LOCAL_MACHINE, L"SYSTEM\\Setup", L"MiniSetupInProgress", &dwType, (LPVOID)&dwMiniSetupInProgress, &dwSize) != ERROR_SUCCESS) || (dwType != REG_DWORD) || (dwMiniSetupInProgress == 0)) { return TRUE; } } return FALSE; } typedef HRESULT (__stdcall *PFNDLLGETCLASSOBJECT)(REFCLSID rclsid, REFIID riid, void **ppv); HRESULT _CreateFromDllGetClassObject(PFNDLLGETCLASSOBJECT pfn, const CLSID *pclsid, IUnknown *punkOuter, REFIID riid, void **ppv) { IClassFactory *pcf; HRESULT hr = pfn(pclsid, &IID_IClassFactory, &pcf); if (SUCCEEDED(hr)) { hr = pcf->lpVtbl->CreateInstance(pcf, punkOuter, riid, ppv); #ifdef DEBUG if (SUCCEEDED(hr)) { // confirm that OLE can create this object to // make sure our objects are really CoCreateable IUnknown *punk; HRESULT hrTemp = CoCreateInstance(pclsid, punkOuter, CLSCTX_INPROC_SERVER, riid, &punk); if (SUCCEEDED(hrTemp)) punk->lpVtbl->Release(punk); else { if (hrTemp == CO_E_NOTINITIALIZED) { // shell32.dll works without com being inited TraceMsg(TF_WARNING, "shell32 or friend object used without COM being initalized"); } // the RIPMSG below was hitting too often in out-of-memory cases where lame class factories return E_FAIL, E_NOTIMPL, and a bunch of // other meaningless error codes. I have therefore relegaed this ripmsg to FULL_DEBUG only status. #ifdef FULL_DEBUG else if ((hrTemp != E_OUTOFMEMORY) && // stress can hit the E_OUTOFMEMORY case (hrTemp != E_NOINTERFACE) && // stress can hit the E_NOINTERFACE case (hrTemp != HRESULT_FROM_WIN32(ERROR_COMMITMENT_LIMIT)) && // stress can hit the ERROR_COMMITMENT_LIMIT case (hrTemp != HRESULT_FROM_WIN32(ERROR_NO_SYSTEM_RESOURCES)) && // stress can hit the ERROR_NO_SYSTEM_RESOURCES case !IsGuimodeSetupRunning()) // and we don't want to fire the assert during guimode (shell32 might not be registered yet) { // others failures are bad RIPMSG(FALSE, "CoCreate failed with %x", hrTemp); } #endif // FULL_DEBUG } } #endif pcf->lpVtbl->Release(pcf); } return hr; } HRESULT _CreateFromShell(const CLSID *pclsid, IUnknown *punkOuter, REFIID riid, void **ppv) { return _CreateFromDllGetClassObject(DllGetClassObject, pclsid, punkOuter, riid, ppv); } HRESULT _CreateFromDll(LPCTSTR pszDllPath, const CLSID *pclsid, IUnknown *punkOuter, REFIID riid, void **ppv) { HMODULE hmod = LoadLibraryEx(pszDllPath,NULL,LOAD_WITH_ALTERED_SEARCH_PATH); if (hmod) { HRESULT hr; PFNDLLGETCLASSOBJECT pfn = (PFNDLLGETCLASSOBJECT)GetProcAddress(hmod, "DllGetClassObject"); if (pfn) hr = _CreateFromDllGetClassObject(pfn, pclsid, punkOuter, riid, ppv); else hr = E_FAIL; if (FAILED(hr)) FreeLibrary(hmod); return hr; } return HRESULT_FROM_WIN32(GetLastError()); } STDAPI SHGetInProcServerForClass(const CLSID *pclsid, LPTSTR pszDllPath, LPTSTR pszClass, BOOL *pbLoadWithoutCOM) { TCHAR szKeyToOpen[GUIDSTR_MAX + 128], szInProcServer[GUIDSTR_MAX]; HKEY hkeyInProcServer; DWORD dwSize = MAX_PATH * sizeof(TCHAR); // convert to count of bytes DWORD dwError; SHStringFromGUID(pclsid, szInProcServer, ARRAYSIZE(szInProcServer)); lstrcpy(pszClass, szInProcServer); *pszDllPath = 0; lstrcpy(szKeyToOpen, TEXT("CLSID\\")); lstrcat(szKeyToOpen, szInProcServer); lstrcat(szKeyToOpen, TEXT("\\InProcServer32")); dwError = RegOpenKeyEx(HKEY_CLASSES_ROOT, szKeyToOpen, 0, KEY_QUERY_VALUE, &hkeyInProcServer); if (dwError == ERROR_SUCCESS) { SHQueryValueEx(hkeyInProcServer, NULL, 0, NULL, (BYTE *)pszDllPath, &dwSize); *pbLoadWithoutCOM = SHQueryValueEx(hkeyInProcServer, TEXT("LoadWithoutCOM"), NULL, NULL, NULL, NULL) == ERROR_SUCCESS; RegCloseKey(hkeyInProcServer); } // // Return a more accurate error code so we don't // fire a bogus assertion. // if (*pszDllPath) { return S_OK; } else { // If error was "key not found", then the class is not registered. // If no error, then class is not registered properly (e.g., null // string for InProcServer32). if (dwError == ERROR_FILE_NOT_FOUND || dwError == ERROR_SUCCESS) { return REGDB_E_CLASSNOTREG; } else { // Any other error is worth reporting as-is (out of memory, // access denied, etc.) return HRESULT_FROM_WIN32(dwError); } } } STDAPI _SHCoCreateInstance(const CLSID * pclsid, IUnknown *punkOuter, DWORD dwCoCreateFlags, BOOL bMustBeApproved, REFIID riid, void **ppv) { HRESULT hr = E_FAIL; TCHAR szClass[GUIDSTR_MAX + 64], szDllPath[MAX_PATH]; BOOL bLoadWithoutCOM = FALSE; *ppv = NULL; *szDllPath = 0; // save us some registry accesses and try the shell first // but only if its INPROC if (dwCoCreateFlags & CLSCTX_INPROC_SERVER) hr = _CreateFromShell(pclsid, punkOuter, riid, ppv); #ifdef DEBUG if (SUCCEEDED(hr)) { HRESULT hrRegistered = THR(SHGetInProcServerForClass(pclsid, szDllPath, szClass, &bLoadWithoutCOM)); // // check to see if we're the explorer process before complaining (to // avoid ripping during setup before all objects have been registered) // if (IsProcessAnExplorer() && !IsGuimodeSetupRunning() && hrRegistered == REGDB_E_CLASSNOTREG) { ASSERTMSG(FAILED(hr), "object not registered (add to selfreg.inx) pclsid = %x", pclsid); } } #endif if (FAILED(hr)) { BOOL fNeedsInProc = ((dwCoCreateFlags & CLSCTX_ALL) == CLSCTX_INPROC_SERVER); hr = fNeedsInProc ? THR(SHGetInProcServerForClass(pclsid, szDllPath, szClass, &bLoadWithoutCOM)) : S_FALSE; if (SUCCEEDED(hr)) { if (hr == S_OK && _IsShellDll(szDllPath)) { // Object likely moved out of the shell DLL. hr = CLASS_E_CLASSNOTAVAILABLE; } else if (bMustBeApproved && SHStringFromGUID(pclsid, szClass, ARRAYSIZE(szClass)) && !_IsShellExtApproved(szClass, szDllPath)) { TraceMsg(TF_ERROR, "SHCoCreateInstance() %s needs to be registered under HKLM or HKCU" ",Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved", szClass); hr = HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED); } else { hr = THR(SHCoCreateInstanceAC(pclsid, punkOuter, dwCoCreateFlags, riid, ppv)); if (FAILED(hr) && fNeedsInProc && bLoadWithoutCOM) { if ((hr == REGDB_E_IIDNOTREG) || (hr == CO_E_NOTINITIALIZED)) { hr = THR(_CreateFromDll(szDllPath, pclsid, punkOuter, riid, ppv)); } } // only RIP if this is not a secondary explorer process since secondary explorers dont init com or ole since // they are going to delegate to an existing process and we don't want to have to load ole for perf in that case. if (!IsSecondaryExplorerProcess()) { RIPMSG((hr != CO_E_NOTINITIALIZED), "COM not inited for dll %s", szDllPath); } // sometimes we need to permanently pin these objects. if (SUCCEEDED(hr) && fNeedsInProc && (OBJCOMPATF_PINDLL & SHGetObjectCompatFlags(NULL, pclsid))) { SHPinDllOfCLSID(pclsid); } } } } #ifdef DEBUG if (FAILED(hr) && (hr != E_NOINTERFACE)) // E_NOINTERFACE means riid not accepted { ULONGLONG dwTF = IsFlagSet(g_dwBreakFlags, BF_COCREATEINSTANCE) ? TF_ALWAYS : TF_WARNING; TraceMsg(dwTF, "CoCreateInstance: failed (%s,%x)", szClass, hr); } #endif return hr; } STDAPI SHCoCreateInstance(LPCTSTR pszCLSID, const CLSID * pclsid, IUnknown *punkOuter, REFIID riid, void **ppv) { CLSID clsid; if (pszCLSID) { SHCLSIDFromString(pszCLSID, &clsid); pclsid = &clsid; } return _SHCoCreateInstance(pclsid, punkOuter, CLSCTX_INPROC_SERVER, FALSE, riid, ppv); } // // create a shell extension object, ensures that object is in the approved list // STDAPI SHExtCoCreateInstance2(LPCTSTR pszCLSID, const CLSID *pclsid, IUnknown *punkOuter, DWORD dwClsCtx, REFIID riid, void **ppv) { CLSID clsid; if (pszCLSID) { SHCLSIDFromString(pszCLSID, &clsid); pclsid = &clsid; } return _SHCoCreateInstance(pclsid, punkOuter, dwClsCtx, TRUE, riid, ppv); } STDAPI SHExtCoCreateInstance(LPCTSTR pszCLSID, const CLSID *pclsid, IUnknown *punkOuter, REFIID riid, void **ppv) { return SHExtCoCreateInstance2(pszCLSID, pclsid, punkOuter, CLSCTX_NO_CODE_DOWNLOAD | CLSCTX_INPROC_SERVER, riid, ppv); } STDAPI_(BOOL) SHIsBadInterfacePtr(const void *pv, UINT cbVtbl) { IUnknown const * punk = pv; return IsBadReadPtr(punk, sizeof(punk->lpVtbl)) || IsBadReadPtr(punk->lpVtbl, cbVtbl) || IsBadCodePtr((FARPROC)punk->lpVtbl->Release); } // private API that loads COM inproc objects out of band of COM. this // should be used very carefully, only in special legacy cases where // we knowingly need to break COM rules. right now this is only for AVIFile // as it depended on the Win95 behavior of SHCoCreateInstance() loading objects // without COM being inited and without them being marshalled STDAPI SHCreateInstance(REFCLSID clsid, REFIID riid, void **ppv) { TCHAR szClass[GUIDSTR_MAX + 64], szDllPath[MAX_PATH]; BOOL bLoadWithoutCOM; HRESULT hr = SHGetInProcServerForClass(clsid, szDllPath, szClass, &bLoadWithoutCOM); if (SUCCEEDED(hr)) { hr = THR(_CreateFromDll(szDllPath, clsid, NULL, riid, ppv)); } else { *ppv = NULL; } return hr; }