Monday, September 29, 2014

Prevent Word from Restoring Minimized Documents

This has been bugging me, and today I finally researched a solution. When using Word (and, possibly, other Office apps), if one or more documents are minimized and then a new document is opened, the minimized documents are restored. You can easily imagine how irritating this is. I’ve seen this behavior in SQL Management Studio as well.

There are two solutions (with attribution links) below, depending on your version of Word. As far as I can tell, these are independent of which Windows version is installed. Note that it’s important to update the registry keys for both docx and doc file types.

Word 2010 and later

(The encoded command value may differ depending on your installation.)

My registry had these settings under HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command:

Default: "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" /n "%1" /o "%u"

Command: yh1BV5!!!!!!!!!MKKSkWORDFiles>!2-1&m&8y@Nmo2r)^f-C /n "%1" /o "%u"

I changed them to this (removing the, "/o "%u"" and adding "/q" before "/n" to remove the splash screen :

Default: "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" /q /n "%1"

Command: yh1BV5!!!!!!!!!MKKSkWORDFiles>!2-1&m&8y@Nmo2r)^f-C /q /n "%1"

I did the same for HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\command, and am now able to open other files without restoring or maxmizing other minimized Word .doc or .docx files.

Word 2007 and earlier

You can fix this problem by blocking Word from using DDE to open files.

In the HKEY_CLASSES_ROOT\Word.Document.12\shell\Open key:

  • Delete or rename the ddeexec sub-key

In the HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command key:

  • Delete or rename the command value (not to be confused with the command key.)
  • Edit the (Default) value and add "%1" (including quotes) at the end

[clf note: some authors recommend changing /n /dde to /q /n “%1”  I think the /q might make a difference in Win7+.]

This solves the problem for .docx files. If you also want to solve it for .doc files, do the same thing for Word.Document.8

Thanks to: Rafael's Within Windows which has detailed instructions.

Thursday, September 25, 2014

Clever Phish

I received this email yesterday (links altered for safety).

Thanks for shopping with us today! Your purchase will be processed shortly.
Purchase Number: SGF578308436
Order Date: 7.46 Thu, Sep 18, 2014
Customer Email:
Outright Purchase: 4687 USD
Get details
Please click the link provided at the top to get more info about this issue.

Of course, I checked the domain and I'd never heard of it. But nothing came up immediately when searching "gruppo bertoli spam". I was pretty sure it was a phishing email, but it was possible someone stole my identity. Unlikely, though, given the weirdness of the email.

Next, I hovered over link to see source. It's a DropBox location. I opened IE in InPrivate Browsing mode for some added safety. Next, I copied the link and pasted into the URL. (I've obfuscated the link so it doesn't work anymore.)

I removed the file part of the path, just to see if the DropBox folder would open. Nope. So, I can see they want me to download a zip file. I'm OK with that, because I won't open it yet.

I downloaded the zip file, then opened—but didn’t extract!—it using 7-zip. Huh. At first glance it's a PDF—with a funny extension. Also, the packed size is the same as the file size. But this might be true for a PDF since they’re binary files, and besides most people won't open in 7-zip, they’ll use Windows Explorer.


OK. I extracted the file but, of course, didn’t double click it to open.

Now, I looked at the file in Windows Explorer and it really does look like a PDF. 


Why? Because the clever bastards have added a bunch of spaces to hide the real extension. Here's the real file name.

"PAYMENT DETAILS.PDF                                                                                _27102.scr"

Windows (and Mac) by default don't show extensions, anyway, so many will be fooled by a file that advertises itself as a PDF. What's worse, most people don't show their file listings in Detail view, so they wouldn't see the Type, which is the giveaway.

What is it really? It's a screen saver. If I'd launched it...well, who knows? A screensaver can install trojan viruses. Hopefully my Windows Defender would have kicked in, but no guarantee.

This was a good reminder lesson to me. These jerks used the psychology of stage magic: misdirection and plausibility. It looks real, until it's not.