Hi, in <http://seclists.org/fulldisclosure/2013/Aug/75> I documented beginners errors (unquoted pathnames containing spaces) not only in Microsoft products. Microsofts developer documentation but shows these beginners errors too (and is inconsistent, even in single topics). Examples: <http://msdn.microsoft.com/library/cc144171.aspx> | HKEY_CLASSES_ROOT | txtile ... | Shell ... | cmd2 ... | command | (Default) = C:\Program Files\Windows NT\Accessories\wordpad.exe %1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ <http://msdn.microsoft.com/library/bb165967.aspx> | [HKEY_CLASSES_ROOT\Applications\VSLauncher.exe\Shell\Open\Command] | @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe \"%1\"" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | [HKEY_CLASSES_ROOT\VisualStudio.csproj.8.0\shell\Open\Command] | @="\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\VSLauncher.exe\" \"%1\"" <http://msdn.microsoft.com/library/cc144083.aspx> | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | contoso-search | shell | open | command | (Default) = "%ProgramFiles%\Contoso\Search\contososearch.exe %1" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ <http://msdn.microsoft.com/library/cc144154.aspx> | HKEY_LOCAL_MACHINE | SOFTWARE | Classes | LitwarePlayer11.AssocFile.... ... | shell | open | command | (Default) = %ProgramFiles%\Litware\litware.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <http://msdn.microsoft.com/library/hh127450.aspx> | HKEY_CLASSES_ROOT | CLSID | {0052D9FC-6764-4D29-A66F-2F3BD9E2BB40} | Shell | Open | Command | (Default) = [REG_EXPAND_SZ] %ProgramFiles%\MyCorp\MyApp.exe /Settings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <http://msdn.microsoft.com/library/cc144188.aspx> | <sh:task id="{3B75A7AE-C4E4-4E5A-9420-7CECCDA75425}"> | <!-- This is a generated GUID, specific to this task link --> | <sh:name>@myTextResources.dll,-100</sh:name> | <sh:keywords>@myTextResources.dll,-101</sh:keywords> | <sh:command>%ProgramFiles%\Microsoft Games\Solitaire\solitaire.exe</sh:command> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | </sh:task> Example with ambiguous/inconsistent use of quotes: <http://msdn.microsoft.com/en-us/library/aa767914.aspx> | HKEY_CLASSES_ROOT | alert | (Default) = "URL:Alert Protocol" ^ ^ | URL Protocol = "" ^^ | DefaultIcon | (Default) = "alert.exe,1" ^ ^ | shell | open | command | (Default) = "C:\Program Files\Alert\alert.exe" "%1" Counterexamples: <http://msdn.microsoft.com/library/cc144175.aspx> <http://msdn.microsoft.com/library/cc144101.aspx> | Note: If any element of the command string contains or might contain | spaces, it must be enclosed in quotation marks. Otherwise, if the | element contains a space, it will not parse correctly. For instance, | "My Program.exe" starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. You | should always use quotation marks with arguments such as "%1" that are | expanded to strings by the Shell, because you cannot be certain that | the string will not contain a space. <http://msdn.microsoft.com/library/dd203067.aspx> <http://msdn.microsoft.com/library/cc144109.aspx> regards Stefan Kanthak
