Add-In Security

To enhance security by preventing malicious add-ins from automatically activating, Visual Studio provides settings in a Tools Options page named Add-in Security.

In addition, this options page allows you to specify the folders in which Visual Studio searches for .Addin registration files. This enhances security by allowing you to limit the locations where .Addin registration files can be read, helping prevent malicious .Addin files from inadvertently being used.

Add-In Security Settings

The settings in the Add-in Security, Environment, Options Dialog Box that relate to add-in security are:

  • Allow add-in components to load.   Checked by default. When checked, add-ins are allowed to load in Visual Studio. When unchecked, add-ins are prohibited from loading in Visual Studio.

  • Allow add-in components to load from a URL.   Unchecked by default. When checked, add-ins are allowed to be loaded from external Web sites. When unchecked, remote add-ins are prohibited from loading in Visual Studio. If an add-in cannot load for some reason, then it cannot be loaded from the web. This setting controls only the loading the add-in DLL. The .Addin registration files must always be located on the local system.

Default .Add-In File Search Locations

In addition to the security settings, the options page has a list containing folders in which to search for .Addin registration files. By default, the following tokens are included:

  • %ALLUSERSDOCUMENTS%

  • %ALLUSERSPROFILE%

  • %APPDATA%

  • %VSAPPDATA%

  • %VSCOMMONAPPDATA%

  • %VSMYDOCUMENTS%

When Visual Studio begins searching for .AddIn files, it replaces these tokens with the following path strings:

Token

Path

%ALLUSERSDOCUMENTS%

%PUBLIC%\Documents

%ALLUSERSPROFILE%

%ALLUSERSPROFILE% (defined by OS)

%APPDATA%

%USERPROFILE%\AppData

%VSAPPDATA%

%USERPROFILE%\AppData\Roaming\Microsoft\Visual Studio\<Version>

--OR--

%USERPROFILE%\AppData\Local\Microsoft\Visual Studio\<Version>

%VSCOMMONAPPDATA%

%ProgramData%\Microsoft\Visual Studio\<Version>

%VSMYDOCUMENTS%

<My Documents>\Visual Studio 2012

Note

Some of the default paths may resolve to targets that do not exist on your system.

You can remove these predefined tokens from the list by highlighting the token and clicking Remove. To add other folders to the search list, click Add and specify a folder in the Browse for Folder dialog box. For more information, see Add-In Registration.

Restricting Options Page Modifications

To prevent users from modifying the settings in the Add-in Security options page, an administrator can set a value in the system registry. This value is named AllowUserToModifySecuritySettings and is stored under the HKLM\Software\Microsoft\VisualStudio\11.0\AutomationProperties key. If the key value is present and set to 0, then all options in the Add-in Security page are disabled. (That is, the settings on the page cannot be changed.)

The settings for the Add-in Security page are stored in the registry under the HKLM\Software\Microsoft\VisualStudio\11.0\AutomationProperties and HKCU\Software\Microsoft\VisualStudio\11.0\AutomationProperties keys. The security buttons receive their values by first looking at the key under HKEY_LOCAL_MACHINE. If that key does not exist, then the HKEY_CURRENT_USER value is used. This allows an administrator to, for example, enable the loading of add-ins, but it allows a user to disable loading these components if they choose. If an administrator has disabled loading add-ins, however, then a user without administrative permissions cannot enable them. If the setting to load add-ins is checked, then the folders specified under the HKLM\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders and HKCU\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders keys are searched for possible .Addin files.

An administrator who changes the options on this page can write values to any key under the HKEY_LOCAL_MACHINE registry hive, which modifies those settings for all users of that computer.

See Also

Concepts

Best Practices for Security in Automation

Add-In Registration