Skip to content

Instantly share code, notes, and snippets.

@wdormann
Last active June 6, 2023 09:07
  • Star 68 You must be signed in to star a gist
  • Fork 13 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b to your computer and use it in GitHub Desktop.
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
"Options"=dword:00000117
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options]
"DontUpdateLinks"=dword:00000001
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000001
"Options"=dword:00000117
@wdormann
Copy link
Author

I've confirmed that the DDE-disabling option for Excel actually disables the ability for Windows Explorer to launch Excel itself (e.g. by double-clicking on an Excel file). Opening the same file via File -> Open in Excel still works though.

The better mitigation may be to enable ASR features via Windows 10, and still import the "WordMail" registry values above. That is, set D4F940AB-401B-4EFC-AADC-AD5F3C50688A to 1, and import:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
 "DontUpdateLinks"=dword:00000001

@Squuiid
Copy link

Squuiid commented Oct 31, 2017

NOTE: ASR only works if you are using Windows Defender as your primary AV.

"ASR has a dependency on Windows Defender Antivirus being the primary AV on the device and its real-time protection feature must be enabled."
https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

@moonyh
Copy link

moonyh commented Nov 2, 2017

thx bro. can you make regitry that works for 2007(version)

@wdormann
Copy link
Author

I couldn't find discrete, human-readable DDE registry values for Office 2007. For that version of Office, which shouldn't be used for obvious reasons, your best bet is to set the DDE options in the respective Office applications preferences or possibly GPO.
For example, in Word:
Options -> Advanced -> General -> "Update automatic links at open" (uncheck this)
For Excel, the option is called "Ignore other applications that use Dynamic Data Exchange DDE" (but note that this breaks the ability to open Excel files by double-clicking them)

The Outlook attack vector didn't seem to work in my testing with Outlook 2007, so no special protections seem to be needed there.

@id7368
Copy link

id7368 commented Nov 13, 2017

emmm...if you want enable DDE again:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000
"Options"=dword:00000117

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000
"Options"=dword:00000117

@jay
Copy link

jay commented Nov 23, 2017

If anyone is curious I tried to do it system-wide by using HKEY_LOCAL_MACHINE but that didn't work to disable the link updates.

@abraeg
Copy link

abraeg commented Jan 16, 2018

Is there any information about what "Options"=dword:00000117 is about?
What, if I already have an Options value other than 00000117? Should it be replaced or should it be added (bitwise?)
Thanks for any hint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment