HTA (HyperText Applications): Caveats and Features

Caveats:
1. Security: HTAs bypass the Internet Explorer's advanced settings to disable/enable active scripting, which leads to vulnerability in system to malfunction. However, since the HTAs interact with local system (using ActiveXObjects) for file/DB manipulation, the caveat is limited to the user's system. Also because browser doesn't come into picture for HTAs, use of SSL is not taken into consideration, unless the HTA is loaded with a remote frame (which perhaps defeats the purpose of HTA).
2. Icon: Individual HTA can not be associated with *an icon, if it's modified the icon takes over for all the HTAs in the system. However an icon can be put in the control menu of the title bar.
3. Porting: HTAs may NOT be transferred through email, because most of the antivirus systems consider HTAs as scripts that contain malicious code. It is so, because of HTAs' capabilities to have full control on system's file system (where they are being kept).

Features:
1. File System: HTAs provide strong file manipulation capabilities. VBScript users can make use Scripting.FileSystemObject in CreateObject method while J/avaScript users may instantiate ActiveXObject with the same component name to control file system.
2. WSH Support: HTAs are open to make use of Windows Scripting Host just as the direct VBS or JS files would. Common WSH operations (WScript.Shell) include Reading/writing file system, windows registry and devices (In case of WMI). Other WSH operations (WScript.Network) include Reading network information and mapping drives etc.
3. DB Access: HTAs can manipulate databases using SQLOLEDB or OLEDB Jet interfaces for almost all databases and text files (using text/csv drivers).
4. MS Office: HTAs can make use of COM to manipulate MS Office documents such as Excel, Word, Outlook. Manipulations include porting and formatting data, charts and images etc.
5. FTP Access: Seem less FTP Support is provided.
6. Splash Screen: HTA can be used to display a splash screen for few seconds while the whole application loads.
7. Context Menus: Regulation right click context menu (as appears in IE) can be disabled in HTA and a custom context menu can be displayed instead.
8. HTA:Application: element allows us to customise the HTA application, customisation includes setting/unsetting/modifying a control/sys menu, border specifications, icon, version, title/caption bar, scrolling, context menu and others. Making it all very handy.

<HTA:APPLICATION
ID = "objApp"
APPLICATIONNAME = "HTA App Name"
BORDER = "thick"
CAPTION = "yes"
ICON = "any.ico"
SHOWINTASKBAR = "yes"
SINGLEINSTANCE = "yes"
SYSMENU = "yes"
WINDOWSTATE = "normal"
SCROLL = "yes"
SCROLLFLAT = "yes"
VERSION = "1.0"
INNERBORDER = "yes"
SELECTION = "no"
MAXIMIZEBUTTON = "yes"
MINIMIZEBUTTON = "yes"
NAVIGABLE = "yes"
CONTEXTMENU = "yes"
BORDERSTYLE = "normal"
>

As you can see above, the HTA:Application element is an empty element and contains numerous useful attributes. Most of the attributes are self-explanatory. Setting SCROLLFLAT to true causes HTAs use Internet Explorer style of flat scrollbars. Elements, like frames, that have their own scrollbars inherit this style. For normal scrollbars this attribute can be set to false. ID objApp can be used in scripting language to manipulate the attributes etc.

Icon appears in the control/sys bar or the application. SINGLEINSTANCE will not allow users to spawn another window if one is already open. CAPTION, BORDER and INNERBORDER can be reset to create a splash screen like window.

Sumit Amar

Comments

  • Anonymous
    December 16, 2010
    Thx man, that was what i needed ^^ MAXIMIZEBUTTON = "yes" MINIMIZEBUTTON = "yes" CONTEXTMENU = "yes"

  • Anonymous
    February 09, 2011
    Sumit, There are deployment issues with hta's concerning the use of activeX common controls.  The client machine may ask the user to download comdlg32.cab, if for example the hta has file open/close etc dialogs. This will concern many users. As far as I know, the hta has to be configured carefully to avoid this (if at all possible). Microsoft docs say that htas will run without any restrictions, but  I find this statement misleading.