HTML Application

Last updated
HTML Application (HTA)
Filename extension
.hta
Internet media type
application/hta
Magic number %hta
Developed by Microsoft
Website learn.microsoft.com/en-us/previous-versions/ms536471(v=vs.85)?redirectedfrom=MSDN

An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.

Contents

The usual file extension of an HTA is .hta.

The ability to execute HTAs was introduced to Microsoft Windows in 1999, along with the release of Microsoft Internet Explorer 5. [1] On December 9, 2003, this technology was patented. [2]

Uses

HTAs give the developer the features of HTML together with the advantages of scripting languages. They are popular with Microsoft system administrators who use them for system administration from prototypes to "full-scale" applications, especially where flexibility and speed of development are critical. [3]

Environment

Execution

One screenshot of one example window that is produced by mshta.exe RectifiedWikipediaHTAWindow.png
One screenshot of one example window that is produced by mshta.exe

An HTA is executed using the program mshta.exe, or, alternatively, double-clicking on the file. This program is typically installed along with Internet Explorer. mshta.exe executes the HTA by instantiating the Internet Explorer rendering engine (mshtml) as well as any required language engines (such as vbscript.dll).

An HTA is treated like any executable file with extension .exe. When executed via mshta.exe (or if the file icon is double-clicked), it runs immediately. When executed remotely via the browser, the user is asked once, before the HTA is downloaded, whether or not to save or run the application; if saved, it can simply be run on demand after that. [3]

By default, HTAs are rendered as per "standards-mode content in IE7 Standards mode and quirks mode content in IE5 (Quirks) mode", but this can be altered using X-UA-Compatible headers. [3]

HTAs are dependent on the Trident (MSHTML) browser engine, used by Internet Explorer, but are not dependent on the Internet Explorer application itself. If a user removes Internet Explorer from Windows, via the Control Panel, the MSHTML engine remains and HTAs continue to work. HTAs continue to work in Windows 11 as well.

HTAs are fully supported running in modes equivalent to Internet Explorer versions 5 to 9. Further versions, such as 10 and 11, still support HTAs though with some minor features turned off.[ citation needed ]

Security considerations

When a regular HTML file is executed, the execution is confined to the security model of the web browser. This means it is confined to communicating with the server, manipulating the page's object model (usually to validate forms and/or create interesting visual effects) and reading or writing cookies.

On the other hand, an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and registry entries. Although HTAs run in this 'trusted' environment, querying Active Directory can be subject to Internet Explorer Zone logic and associated error messages.

Development

To customize the appearance of an HTA, an optional tag hta:application was introduced to the HEAD section. This tag exposes a set of attributes that enable control of border style, the program icon, etc., and provide information such as the argument (command line) used to launch the HTA. [4] Otherwise, an HTA has the same format as an HTML page.

Any text editor can be used to create an HTA. Editors with special features for developing HTML applications may be obtained from Microsoft [5] or from third-party sources. [6]

An existing HTML file (with file extension .htm or .html, for example) can be changed to an HTA by simply changing the extension to .hta.

Vulnerabilities

HTA have been used to deliver malware. [7] [8] One particular HTA, named 4chan.hta (detected by antiviruses as JS/Chafpin.gen), was widely distributed by the users of the imageboard as a steganographic image in which the user were instructed to download the picture as an HTA file, which when executed, would cause the computer to automatically spam the website (evading 4chan's CAPTCHA in the process) with alternate variants of itself; it was reported that such attacks were previously delivered in which the user was prompted to save it as a .js file. [9]

Example

This is an example of Hello World as an HTML Application.

<HTML><HEAD><HTA:APPLICATIONID="HelloExample"BORDER="bold"BORDERSTYLE="complex"/><TITLE>HTA - Hello World</TITLE></HEAD><BODY><H2>HTA - Hello World</H2></BODY></HTML>

See also

Related Research Articles

Active Server Pages (ASP) is Microsoft's first server-side scripting language and engine for dynamic web pages.

<span class="mw-page-title-main">Internet Explorer</span> Web browser series by Microsoft

Internet Explorer is a retired since June 2022 series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022, in favor of its successor, Microsoft Edge.

VBScript is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic. It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment.

<span class="mw-page-title-main">Windows API</span> Microsofts core set of application programming interfaces on Windows

The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations that are often referred to by their own names. Almost all Windows programs interact with the Windows API. On the Windows NT line of operating systems, a small number use the Native API.

<span class="mw-page-title-main">ActiveX</span> Software framework by Microsoft introduced in 1996

ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web. Microsoft introduced ActiveX in 1996. In principle, ActiveX is not dependent on Microsoft Windows operating systems, but in practice, most ActiveX controls only run on Windows. Most also require the client to be running on an x86-based computer because ActiveX controls contain compiled code.

JScript is Microsoft's legacy dialect of the ECMAScript standard that is used in Microsoft's Internet Explorer web browser.

<span class="mw-page-title-main">Windows Script Host</span> Automation technology for Windows

The Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that provides scripting abilities comparable to batch files, but with a wider range of supported features. This tool was first provided on Windows 95 after Build 950a on the installation discs as an optional installation configurable and installable by means of the Control Panel, and then a standard component of Windows 98 and subsequent and Windows NT 4.0 Build 1381 and by means of Service Pack 4. The WSH is also a means of automation for Internet Explorer via the installed WSH engines from IE Version 3.0 onwards; at this time VBScript became means of automation for Microsoft Outlook 97. The WSH is also an optional install provided with a VBScript and JScript engine for Windows CE 3.0 and following and some third-party engines including Rexx and other forms of Basic are also available.

Extensible Application Markup Language is a declarative XML-based language developed by Microsoft for initializing structured values and objects. It is available under Microsoft's Open Specification Promise.

JScript .NET is a .NET programming language developed by Microsoft.

Trident is a proprietary browser engine for the Microsoft Windows version of Internet Explorer, developed by Microsoft.

<span class="mw-page-title-main">Internet Explorer 5</span> Web browser for Windows released in 1999

Microsoft Internet Explorer 5 (IE5) is the fifth, and by now, discontinued, version of the Internet Explorer graphical web browser, the successor to Internet Explorer 4 and one of the main participants of the first browser war. Its distribution methods and Windows integration were involved in the United States v. Microsoft Corp. case. Launched on March 18, 1999, it was the default browser in Windows 98 Second Edition, Windows 2000 and Windows ME and can replace previous versions of Internet Explorer on Windows 3.1x, Windows NT 3.51, Windows 95, Windows NT 4.0 and the original release of Windows 98. Although Internet Explorer 5 ran only on Windows, its siblings Internet Explorer for Mac 5 and Internet Explorer for UNIX 5 supported Mac OS X, Solaris and HP-UX.

<span class="mw-page-title-main">Internet Explorer Mobile</span> Mobile version of Internet Explorer web browser by Microsoft

Internet Explorer Mobile is a mobile version of Internet Explorer developed by Microsoft, based on versions of the MSHTML (Trident) layout engine. IE Mobile comes loaded by default with Windows Phone and Windows CE. Later versions of Internet Explorer Mobile are based on the desktop version of Internet Explorer. Older versions however, called Pocket Internet Explorer, are not based on the same layout engine.

Active Scripting is the technology used in Windows to implement component-based scripting support. It is based on OLE Automation and allows installation of additional scripting engines in the form of COM modules.

<span class="mw-page-title-main">Internet Explorer 8</span> Web browser for Windows released in 2009

Windows Internet Explorer 8 (IE8) is the eighth and, by now, discontinued version of the Internet Explorer web browser for Windows. It was released by Microsoft on March 19, 2009, as the successor to Internet Explorer 7. It was the default browser in Windows 7 and Windows Server 2008 R2.

<span class="mw-page-title-main">Windows Task Scheduler</span> Computer application of Microsoft Windows

Task Scheduler is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for Windows 95 as System Agent. Its core component is an eponymous Windows service. The Windows Task Scheduler infrastructure is the basis for the Windows PowerShell scheduled jobs feature introduced with PowerShell v3.

HTML Components (HTCs) are a legacy technology used to implement components in script as Dynamic HTML (DHTML) "behaviors" in the Microsoft Internet Explorer web browser. Such files typically use an .htc extension and the "text/x-component" MIME type.

KAK is a 1999 JavaScript worm that uses a bug in Outlook Express to spread itself.

XAML Browser Applications are Windows Presentation Foundation (.xbap) applications that are hosted and run inside a web browser such as Firefox or Internet Explorer. Hosted applications run in a partial trust sandbox environment and are not given full access to the computer's resources like opening a new network connection or saving a file to the computer disk and not all WPF functionality is available. The hosted environment is intended to protect the computer from malicious applications; however it can also run in full trust mode by the client changing the permission. Starting an XBAP from an HTML page is seamless. Although one perceives the application running in the browser, it actually runs in an out-of-process executable (PresentationHost.exe) managed by a virtual machine. In the initial release of .NET Framework 3.0, XBAPs only ran in Internet Explorer. With the release of .NET Framework 3.5 SP1, which includes an XBAP extension, they also run in Mozilla Firefox.

<span class="mw-page-title-main">Scripting language</span> Programming language for run-time events

A scripting language or script language is a programming language that is used to manipulate, customize, and automate the facilities of an existing system. Scripting languages are usually interpreted at runtime rather than compiled.

An Internet Explorer shell is any computer program that uses the Internet Explorer browser engine, known as MSHTML and previously Trident. This engine is closed-source, but Microsoft has exposed an application programming interface (API) that permits the developers to instantiate either MSHTML or a full-fledged chromeless Internet Explorer within the graphical user interface of their software.

References

  1. Article ID:200874 in Microsoft Support, in Microsoft Support Knowledge Base
  2. Microsoft wins HTML application patent
  3. 1 2 3 "Introduction to HTML Applications (HTAs)". Microsft MSDN. May 2011. Retrieved 24 June 2016. Sections include Why Use HTAs, Creating an HTA, HTA-Specific Functionality, Security, Compatibility, Deployment
  4. HTA:APPLICATION Object, in MSDN Library, the complete specification of the tag hta:application
  5. HTA Helpomatic
  6. HTAEdit, an editor for HTAs with a built-in debugger
  7. "Spora Ransomware Dropper Uses HTA to Infect System". VMRay. 2017-01-17. Retrieved 2018-12-22.
  8. "8 Scariest Ransomware Viruses" . Retrieved 2018-12-22.
  9. Constantin, Lucian (2010-08-10). "4chan Flood Script Is Back with New Social Engineering Trick". Softpedia. Retrieved 2021-11-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.