Can no longer open CHM files across the local network after installing CU for Windows 1709 for x64 Systems (KB4103727)

All replies

• 

  

  1

  Sign in to vote

  Hi Allen,

  How are you launching the chm files from IE... ? or are you using a burlesque WBC in a  exe/dll?

  exactly how do you place a network path in IE's security zone lists? eg. //servername/ resolves to the c://webroot folder on a server machine named servername running IIS.

  A host is not a network path.. try removing the server name from your IE Intranet sites list.

  Can you use the File>Open menu in IE? to launch the chm files (MS Compiled Html help executable) from either its network location or the machine %system% folder?

  ... you should be prompted to open or save the file, not launch it in IE.

  Is your company using Enterprise Site Mode Lists or FEATURE_CONTOL_BROWSER_EMULATION (for WBC applications)?

  all in all it sounds like you are using a WBC application. not IE.

  Is this application developed/maintained by another software company? Have you tried their support forums?

  https://support.microsoft.com/en-us/help/4103727/windows-10-update-kb4103727

  Security updates to Microsoft Edge, Internet Explorer, Microsoft scripting engine, Windows app platform and frameworks, Device Guard, Windows kernel, Microsoft Graphics Component, Windows storage and filesystems, Windows Hyper-V, Windows virtualization and kernel, HTML help, and Windows Server.

  Doesn't tell us much to help you.

  Regards.

  Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions.

  ---

  Rob^_^

  Saturday, May 12, 2018 1:44 AM
• 

  

  3

  Sign in to vote

  Hi Rob,

  I'm not really launching it from IE, it is more that the CHM file is a compiled HTML help file that runs IE in an IFrame.  The process that is running when I launch it is hh.exe.

  The .CHM file is located on a network share on a file server.  We use a DFS namespace for this fileshare and using group policy, we map a network drive to everyone's desktop.

         File Share - \\ServerName\ShareName

         DFS Namespace \\DFSNamespacePath\DFSFolder

         Mapped Drive - T:\FolderName\file.chm

  We can add the share to the Local Intranet zone by using the file://DFSNamespacePath syntax.  In fact if I attempt to add T: to the Local Intranet zone, it can resolve it to file://DFSNamespacePath.

  I tried launching the CHM directly from IE, but it does not work if i choose Open.  I'm sure that it would work if I saved it locally because the CHM's still work fine when run from the local machine.  Unfortunately we have some legacy files that a lot of users need to access, and having to copy the CHM files to their local machine every time is a giant pain in the rear.

  We are not using Enterprise Site Mode Lists or FEATURE_CONTROL_BROWSER_EMULATION (for this atleast).

  These are very old help files and I don't know if the company exists anymore or could help us.

  Good catch on the "HTML help" for the Windows 10 update.  I wonder if the problem that I am having is an unintended side effect of their update, or if it was done to close a security hole.

  Thanks for your help!

  
  

  Monday, May 14, 2018 3:43 PM
• 

  

  4

  Sign in to vote

  We are having this same issue since updates this weekend. Some of our folks are pointing at KB4103712, which also lists security updates to HTML help.

  Like the OP, our former registry work-arounds are no longer working.

  Monday, May 14, 2018 6:01 PM
• 

  

  3

  Sign in to vote

  We too have this issue after the KB was installed. Remote execution of a CHM no longer works (nor does the registry modification to allow this as in past times). This affects all CHM files to my knowledge. For instance- copy "C:\Windows\Help\mui\0409\regedit32.CHM" to a network location and then double click on it. The content pane on the right will be blank.

  Monday, May 14, 2018 10:06 PM
• 

  

  4

  Sign in to vote

  We too have this issue after the KB was installed. This is a real problem for all our customers - we are developing an ERP-System installed and running over a network share. All these customers with updated Windows are unable to read our help system!!

  Thursday, May 17, 2018 8:09 AM
• 

  

  5

  Sign in to vote

  I can confirm that this issue exists and I have been unable to find a workaround that doesn't involve copying the .chm file to a local directory.

  Setting either the "MaxAllowedZone" or "URLAllowList" under the "ItssRestrictions" registry key doesn't done anything.

  Thursday, May 17, 2018 10:05 AM
• 

  

  1

  Sign in to vote

  I confirm also that this issue exists and that there is no workaround that doesn't involve copying the .chm file to a local directory.

  kb4103712 (win 7, win server 2008 R2) and kb4103721 (win 10, 1803)  show the same issue.

  Friday, May 18, 2018 9:36 AM
• 

  

  2

  Sign in to vote

  use NTFS Symlinks and you are done:

  mklink newlocalPath \\ServerPath /D

  and now you can open your server-side chm-files via newlocalpath

  Friday, May 18, 2018 3:44 PM
• 

  

  3

  Sign in to vote

  "

  use NTFS Symlinks and you are done:

  mklink newlocalPath \\ServerPath /D

  and now you can open your server-side chm-files via newlocalpath"

  and this works in running environments? Without shutting down any machine?

  Tuesday, May 22, 2018 3:35 PM
• 

  

  2

  Sign in to vote

  Tried it myself and it works! e.g.

  mklink /D c:\MyHelp \\myserver\helpfiles

  now you can access c:\MyHelp\SomeHelp.chm and you'll actually be reading \\myserver\helpfiles\SomeHelp.chm

  Wednesday, May 23, 2018 8:28 AM
• 

  

  4

  Sign in to vote

  I have the same problem since I switched to version 1803.
  For me, your solution is not an option,
  because

  1. I have many clients I would have customizing
  2. The clients sometimes have several gigabit data that I would have to link.

  Does not anyone have another solution for this problem?

  Wednesday, May 23, 2018 12:00 PM
• 

  

  6

  Sign in to vote

  Hello, we have the same problem. I hope Microsoft will give an advice on how to fix this.

  Thursday, May 24, 2018 2:13 PM
• 

  

  9

  Sign in to vote

  We also open CHM Files from a share in our applications on thousands of clients. We are not able to force our customers to install everything local. Please @Microsoft, fix this and continue using the existing registrykeys or at least give us another possibility to white-list UNC paths.

  Regards
  Martin

  Friday, May 25, 2018 7:08 AM
• 

  

  0

  Sign in to vote

  @"CONNEXT Communication GmbH":

  1.) You don't need to take (and revert) "possession" (normal wording "Ownership") when using robocopy /B

  2.) Please warn users when recommending to revert security patches. What CVE will users be vulnerable for when applying your "solution"!?

  Monday, June 4, 2018 8:11 AM
• 

  

  1

  Sign in to vote

  Great find!

  This workaround does work, but due to the number of users we'd have to deploy it to, and how infrequently they access CHM files, I have decided to wait before implementing it.  Our users have gotten used to copying them local when they need to.

  Although I haven't tested it, I would think deploying it via group policy would not be very difficult.

  Tuesday, June 5, 2018 2:55 PM
• 

  

  3

  Sign in to vote

  I just installed the June updates for 1803 (17134.112) and network-hosted .chm files are still broken.

  Wednesday, June 13, 2018 1:13 PM
• 

  

  3

  Sign in to vote

  Hello,

  yesterday's patchday did not fix the problem to open .chm files via an unc path. I have only received feedback from Microsoft that the problem is known and a solution is being worked on. Long speech, the mistake still exists.
  
  For the transition solution described here, system files are exchanged, you (!) act on your own responsibility.
  
  You can solve this problem by copying the following files from unpatched systems (before the May update) to the corresponding System32 folders. For x64 systems, for 32 bit programs from which help (e.g. F1 key) is started via the network, the same procedure must be performed in the SysWOW64 folder:
  
  Windows 10/2016
  %SystemRoot%\System32\hhctrl.ocx
  %SystemRoot%\System32\itircl.dll
  %SystemRoot%\System32\itss.dll
  
  This repairs the direct call of the help via e.g. the Explorer
  
  SystemRoot%\SysWOW64\hhctrl.ocx
  SystemRoot%\SysWOW64\itircl.dll
  SystemRoot%\SysWOW64\itss.dll
  
  Repairs the help function in 32 bit applications that call a CHM file in the UNC environment.
  
  Windows 7 / 8.x / 2008 r2 / 2012 r2
  
  %SystemRoot%\System32\hhctrl.ocx
  %SystemRoot%\System32\hhsetup.dll
  %SystemRoot%\System32\itircl.dll
  %SystemRoot%\System32\itss.dll
  
  SystemRoot%\SysWOW64\hhctrl.ocx
  SystemRoot%\SysWOW64\hhsetup.dll
  SystemRoot%\SysWOW64\hh.exe
  SystemRoot%\SysWOW64\itircl.dll
  SystemRoot%\SysWOW64\itss.dll
  
  You get the problem and the corresponding files relatively easily analyzed yourself. I found out the affected files with MJ`s Diagnostics http://kb.helpwaregroup.com/ms-html-help/mj-s-diagnostics

  Friday, June 15, 2018 5:10 AM
• 

  

  0

  Sign in to vote

  I'm glad to see this forum topic.
  I've been having this issue on our network also. Although there isn't a complete answer, it's identified what the problem is, and I appreciate it.
  
  I found, as Arne suggested, that copying the HH program files listed from an unpatched PC worked.
  
  So I'll be able to do this on any PC that needs help access, and hope that the issue is resolved in the July update.

  Certainly not an ideal solution, but much better than nothing.

  Friday, June 29, 2018 3:02 AM
• 

  

  4

  Sign in to vote

  We have this problem also.  I filed a support case with Microsoft back in May. 

  They have recommended the mklink solution, which does not help us.  That would require changing 1000 programs to point to the local directory. 

  They also had us test copying the files from an unpatched computer, which does work.  That however requires updating over 1000 computers.

  I have continued to press for a roll back of the change.  I received this reply from the technical advisor.

  Dan

  ---

  I wanted to update you that the impact to your business has been shared with the concerned team and its under consideration.

   

  We understand that the problem has impacted your business due to a recent update. The decision to stop access to HTML help files over a network location was due to a Security vulnerability. While the product team is investigating the impact of the changes I cannot commit to you that we will be able to come up with a possible fix anytime soon nor do I have an ETA. This means that the decision to roll back the update is also not something I can commit on. In my view as this is a security vulnerability it may not be in the best interest to keep it unpatched by rolling back the update. I would not recommend it to you either to uninstall the update.

   

  With that said, I would like to assure you that we have done everything possible to get the right people involved and shared your business case. I am the highest point of escalation on a professional support incident and I wanted to reach out to you to provide my assurance on the same.

  ---

  Danny

  Friday, June 29, 2018 12:03 PM
• 

  

  1

  Sign in to vote

  We also have the same problem. It would be great if Microsoft provides any advice.

  Wednesday, July 25, 2018 3:50 AM
• 

  

  1

  Sign in to vote

  Just installed the July updates on 1709 (16299.551) and 1803 (17134.167) and network-hosted .chm files are still broken.

  Wednesday, July 25, 2018 9:13 AM
• 

  

  0

  Sign in to vote

  Hi Dan,

  Have you had any reply or update on what Microsoft are going to do to allow *.CHM files to Open fully across the network?

  thanks

  Toni

  Thursday, July 26, 2018 12:34 AM
• 

  

  2

  Sign in to vote

  If you want to minimise the risk, I was able to get *.CHM Help files to open across the network with only replacing this file:

  %SystemRoot%\System32\itss.dll

  I don't think it is necessary to update any other files 'regardless' if it is a 32 bit  or 64 bit machine.

  Thanks

  Toni

  
  
  
  

  • Edited by Ohrid20 Thursday, July 26, 2018 2:14 AM
  • Proposed as answer by Guybrush.Threepwood Thursday, July 26, 2018 9:56 AM

  Thursday, July 26, 2018 1:44 AM
• 

  

  0

  Sign in to vote

  Wow, thank you for that Toni. That works great.
  It will simplify the process of taking ownership/permission and copying of files.

  That's a really good find :)

  Thursday, July 26, 2018 2:21 AM
• 

  

  0

  Sign in to vote

  Hi Toni,

  you made my day! Thanks a lot!

  I found out, that you can take the itss.dll from an unpatched Syswow64-Folder for both systems (32bit and 64bit).

  In my case I had to copie it into the SysWOW64-Folder (64bit) or into the System32-Folder (32bit).

  To replace it in the System32-Folder on a 64bit-System didn't work for me.

  Imported: You have to replace the ownership and give fullaccess für this file.

  Regards

  Holger

  Thursday, July 26, 2018 10:02 AM
• 

  

  0

  Sign in to vote

  Thank you for your comment, mighty pirate.

  I found that replacing 'itss.dll' in the System32 folder allowed me to access it via Windows.
  But in order to get it to work in our application, I needed to replace the copy in 'SysWOW64'.

  I'd imagine that's what Danny525 was talking about, that the 'SysWOW64' copy is for '32 bit applications that call a CHM file in the UNC envionment'.

  So replacing 'itss.dll' in both 'System32' and 'SysWOW64' is the workaround for me.
  It would be great to get this fixed by Microsoft.

  
  

  • Edited by RCCCWagga Wednesday, August 1, 2018 12:08 AM Slight alteration to text.

  Wednesday, August 1, 2018 12:07 AM
• 

  

  2

  Sign in to vote

  Known issue. The CHM issue is a casualty of a security hardening change in previous updates. 
  Retest with monthly currently scheduled to release in the September 2018 Preview that will go mainstream the 2nd week of October 2018.

  the September Preview KBs should contain release note text similar to

  • Addresses an issue that prevents the Microsoft Help Viewer from rendering HTML content inside a Windows Help .CHM file when the .CHM file is stored on a network location.

  • Edited by eventtrac Friday, September 7, 2018 8:04 PM
  • Marked as answer by Allen Terry Wednesday, April 10, 2019 6:53 PM

  Tuesday, September 4, 2018 11:45 PM
• 

  

  1

  Sign in to vote

  This issue was resolved by updates released the 3rd week of September 2018. 
  OS versions not listed in the table below won't be receiving a fix and will need to lead with a workaround like creating a symbolic link that adds a local shortcut pointing to the remote network location

  OS	Resolving KB
  1803 / RS4	KB 4458469
  1709 / RS3	KB 4457136
  1703 / RS2	KB 4457141
  RS1	KB 4457127
  TH2	KB 4457130
  TH1 / RTM	KB 4457132
  Win8.1 / WS 12 R2	KB 4457133
  Windows Server 2012	KB 4458469
  Win7 / W2K8 R2	KB 4457139
  Windows Server 2008	KB 4458469

  Wednesday, September 26, 2018 8:06 PM
• 

  

  0

  Sign in to vote

  Has Windows Server 2008  been fixed in this patch? or will it be fixed in the near future patch since it is listed? I can't find any information anywhere about it being fixed, also being a newbee wasn't the initial problem accessing .chm files across a network, with no work around by MS but this advises a Symbolic link is the workaround. Where do we go if a companies security policy will not allow such a work around what will the fix be,  
  
  Cheers
  
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  This issue was resolved by updates released the 3rd week of September 2018. 
  OS versions not listed in the table below won't be receiving a fix and will need to lead with a workaround like creating a symbolic link that adds a local shortcut pointing to the remote network location

  OS	Resolving KB
  1803 / RS4	KB 4458469
  1709 / RS3	KB 4457136
  1703 / RS2	KB 4457141
  RS1	KB 4457127
  TH2	KB 4457130
  TH1 / RTM	KB 4457132
  Win8.1 / WS 12 R2	KB 4457133
  Windows Server 2012	KB 4458469
  Win7 / W2K8 R2	KB 4457139
  Windows Server 2008	KB 4458469

  
  
  

  • Edited by nuuu-bee Thursday, December 13, 2018 4:19 AM

  Thursday, December 13, 2018 4:14 AM
• 

  

  0

  Sign in to vote

  Is there a fix for 1809? 

  Tuesday, February 19, 2019 2:46 PM
• 

  

  0

  Sign in to vote

  I have just applied the listed updates to both Windows 8.1 and Windows 10 machines and they do not completely fix the problem of displaying a .chm file across a network share.
  

  The updates do in fact fix the problem so that I can launch the .chm from Windows Explorer (just by double-clicking it) and the content displays correctly with these entries:

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
  "MaxAllowedZone"=dword:00000001
  "UrlAllowList"="\\\\SERVER_PC\\SHARE_NAME\\rthelp;file://\\\\SERVER_PC\\SHARE_NAME\\rthelp"
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
  "MaxAllowedZone"=dword:00000001
  "UrlAllowList"="\\\\SERVER_PC\\SHARE_NAME\\rthelp;file://\\\\SERVER_PC\\SHARE_NAME\\rthelp"

  However, the context sensitive help launched from the program executable {invoked by calling the Windows API HtmlHelp() function}, does *not* work - the exact same Help content should be displayed, but it is empty (again) just like if the registry keys did not exist.

  I even tried raising the MaxAllowedZone to the highest value (4) and adding EnableFrameNavigationInSafeMode and NestedProtocolList values, but none of those changes had any effect.

  Could we please actually get this fixed so that it works like it did before - this is a single executable that everyone runs from a network share (so that it does not have to be installed on each user's PC), and now the F1 help does not work because of these supposed "fixes".

  
  

  
  

  
  

  
  

  
  
  

  • Edited by aecspades23 Thursday, October 10, 2019 2:37 AM

  Thursday, October 10, 2019 2:35 AM
• 

  

  0

  Sign in to vote

  Hi aecspades23

  Thanks for sharing your efforts.

  I am in the same boat as I am also not able to see the content of chm files through my application if access across network drive.

  OS - Windows 10, 64-bit

  I can see the contents of chm file across network when I double click on it just by modifying only this entry in the Registry:

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
  "MaxAllowedZone"=dword:00000002

  I have neither modified HHRestrictions nor added UrlAllowedList in the registry. When I run my application with above manual registry changes across the network, I am still able to see the contents of chm file and that's what I want.

  I want to make the above manual change in Registry programatically when I run my application. I have written the C++ function for that but somehow its not modifying the Registry value. Below is the function:

  ModifyRegistry(HKEY hk, const wchar_t *key, const wchar_t *name, int *val, DWORD type )
  {
  DWORD  rtn=0;
  HKEY   KEY;
  LONG phkRTN;
  
  phkRTN = RegCreateKeyEx(hk, key, (DWORD)0, NULL, 0, KEY_WRITE, NULL, &KEY, &rtn);
  if( phkRTN == ERROR_SUCCESS )
  {
  if(type == REG_DWORD )
  {
  DWORD *i =  (DWORD*)val;
  RegSetValueEx( KEY, name, 0, type, (LPBYTE)i, sizeof(DWORD) );

                  }

          }

          RegCloseKey(KEY);
  return(rtn);
  }

  where 

  hk = HKEY_LOCAL_MACHINE

  key = L"SOFTWARE\\Microsoft\\HTMLHelp\\1.x\\ItssRestrictions"

  name = L"MaxAllowedZone"

  *val = 2

  type = REG_DWORD

   I have debugged and checked the returned value of  RegSetValueEx and its coming ERROR_SUCCESS.

  Do you or someone have any idea whether I am missing anything here or some other permission is required. I am giving 6'th parameter of RegCreateKeyEx function as KEY_WRITE which is the combination of 

  STANDARD_RIGHTS_WRITE  | KEY_SET_VALUE  | KEY_CREATE_SUB_KEY)  &  (~SYNCHRONIZE))

  In some of the blogs I have read that we need to run the application in elevated mode which I am not aware. Can someone please let me know what that mean is or can share good links or example related to this.

  - Prateek

  Tuesday, December 3, 2019 7:38 AM
• 

  

  0

  Sign in to vote

  Hello,

  I have a similar problem on some windows configurtions. Do you have any solution?

  Thank you

  Thomas

  Friday, January 24, 2020 8:55 AM