Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I tell if ActiveX is enabled in Internet Explorer?

-- JV

SpacerHey, Scripting Guy! AnswerScript Center

Hey, JV. You just had to ask this question, didn’t you? Actually, this isn’t a particularly hard question to answer, it’s just a little complicated. But that has to do more with the way Internet Explorer is configured than it does with writing a script to retrieve this information.

To begin with, Internet Explorer does not have a management object model; instead, the only way we can programmatically retrieve Internet Explorer settings and property values is by writing a script that grabs this information from the registry. That’s pretty easy; we often use registry-reading scripts in this column. The tricky part comes in figuring out which registry values need to be read, and knowing how to interpret the data that comes back.

Note. Another tricky part lies in knowing which ActiveX setting you’re interested in; for better or worse, Internet Explorer has several settings related to ActiveX controls. For today’s column, we’re assuming you want to read the value for this setting: Run ActiveX controls and plug-ins.

Let’s start by figuring out which registry values need to be modified. As it turns out, there is no global setting for Internet Explorer security settings; instead, these settings are managed by Internet Explorer zones. There are four such security zones; the zone names and their values are shown in the following table:

Zone Name

Zone Value

Intranet sites

1

Trusted sites

2

Internet sites

3

Restricted sites

4

Settings for Internet Explorer security zones can be found in the HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ portion of the registry; to access a particular zone you need to access the subkey corresponding to that zone. To determine the appropriate subkey, just tack the zone value to the preceding registry path. For example, to get at settings for the Internet sites zone (value 3) you need to access this registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

You can see the 3 tacked on at the end. Want to access settings for the Intranet sites zone (value 1)? Okey-doke:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Once you’ve located the correct registry subkey you then need to know which registry value to read. Unfortunately (at least for script writers) these registry values have somewhat-cryptic names; for example, the one we’re interested in is named 1200. (Why? We have no idea.) If you’re gung-ho on using scripts to read/manage Internet Explorer settings then you might want to take a look at the Managing Internet Explorer Enhanced Security Configuration whitepaper. Only a portion of the document deals with scripting, but that portion does map these cryptic registry values to the corresponding properties in the user interface. And, of course, many of these settings can be found in the Tweakomatic. (The Tweakomatic, unlike the whitepaper, will actually write the scripts for you.)

So are we ready to finally write a script and actually do something here? Almost. The other thing you need to know is that the configuration information is stored in the registry as a DWORD (numeric) value. Does it help if you know that the ActiveX controls setting is configured as a 3 rather than 65536? Probably not. But this table might help:

Registry Value

User Interface Value

0

Enabled

1

Prompt

3

Disabled

65536

Administrator Approved

And, no, that last value is not a misprint; it really is 65536. Go figure.

OK, now we’re ready to write a script. Here’s a sample script that retrieves setting information for the Intranet sites zone (zone value 1):

HKEY_CURRENT_USER = &H80000001

strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
ValueName = "1200"

objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

Wscript.Echo "Run ActiveX Controls and Plug-ins"

If IsNull(dwValue) Then
    Wscript.Echo "Intranet sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Intranet sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Intranet sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Intranet sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Intranet sites: Administrator Approved"
End If

We begin by defining a constant named HKEY_CURRENT_USER and setting the value to &H80000001; this tells the script which registry hive we want to work with. We then connect to the WMI service; note that the StdRegProv (Standard Registry provider) class is located in the root\default namespace. (Many script writers assume that the class is in root\cimv2, like most WMI classes. Nope.)

Next we assign values to a pair of variables:

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
ValueName = "1200"

As you can see, the variable strKeyPath contains the registry path within HKEY_CURRENT_USER (don’t include HKEY_CURRENT_USER in the path or the script will fail). The variable ValueName, meanwhile, is set to 1200, which happens to be the registry value we want to read.

We then call the GetDWORDValue method, which enables us to read a DWORD value in the registry:

objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

Note that we need to pass GetDWORDValue several parameters:

HKEY_CURRENT_USER, the constant that tells the script which registry hive to use.

strKeyPath, the variable containing the registry path.

ValueName, the variable representing the registry value we want to read.

dwValue, an “out parameter” that will end up holding the value read from the registry. If you’re thinking, “Wait, we didn’t assign a value to dwValue,” you’re right. And that’s by design: we don’t assign values to an out parameter. Instead, GetDWORDValue will read whatever happens to be stored in the registry value in question (1200) and then the method will assign that value to dwValue.

Yeah, that is kind of neat, isn’t it?

At this point we could simply echo back the value retrieved from the registry. As we noted, however, that will be a value such as 1 or 3 or 65536. Therefore, we set up a simple little If Then ElseIf block to examine the returned value and echo back a more meaningful message:

If IsNull(dwValue) Then
    Wscript.Echo "Intranet sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Intranet sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Intranet sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Intranet sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Intranet sites: Administrator Approved"
End If

You’re right: once you understand where (and how) the values are stored in the registry, this isn’t hard at all.

Just to save you some typing (and/or copying and pasting), here’s a script that returns information for all four security zones:

HKEY_CURRENT_USER = &H80000001

strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
ValueName = "1200"
objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

Wscript.Echo "Run ActiveX Controls and Plugins"

If IsNull(dwValue) Then
    Wscript.Echo "Intranet sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Intranet sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Intranet sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Intranet sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Intranet sites: Administrator Approved"
End If

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"
ValueName = "1200"

objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

If IsNull(dwValue) Then
    Wscript.Echo "Trusted sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Trusted sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Trusted sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Trusted sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Trusted sites: Administrator Approved"
End If

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"
ValueName = "1200"

objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

If IsNull(dwValue) Then
    Wscript.Echo "Internet sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Internet sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Internet sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Internet sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Internet sites: Administrator Approved"
End If

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"
ValueName = "1200"

objReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, ValueName, dwValue

If IsNull(dwValue) Then
    Wscript.Echo "Restricted sites:  The value is either Null or could not be found in the registry."
ElseIf dwValue = 0 Then
    Wscript.Echo "Restricted sites: Enabled"
ElseIf dwValue = 1 Then
    Wscript.Echo "Restricted sites: Prompt"
ElseIf dwValue = 3 Then
    Wscript.Echo "Restricted sites: Disabled"
ElseIf dwValue = 65536 Then
    Wscript.Echo "Restricted sites: Administrator Approved"
End If

Run the script and you should get back output similar to this:

Run ActiveX Controls and Plugins
Intranet sites: Enabled
Trusted sites: Enabled
Internet sites: Enabled
Restricted sites: Disabled

Is there more we could do here? Maybe; after all, we can also configure this registry value. But that’s a chore for another day.

Related Resources

Test your ActiveX Installation

More on Allowing Internet Explorer to enable ActiveX

Disable/Enable ActiveX components on Internet Explorer

IE8 Security Part II: ActiveX Improvements

Active X Controls-Fix Yours Today