6

Our Windows application makes use of some open source components in the form of their publicly released executables. (One example is 7za.exe that we use to zip old log files.)

We do not want users to directly use these internals, just because they happen to get shipped with our application. (Security audit headaches; update problems, when users start relying on these; etc.)

It is well known that you can execute any file type on windows, the extensions are just a convenience when interacting via Windows Explorer.

Given that we run these via Process.Start call from our app anyway, someone suggested to just rename the files, so instead of ...\tools\7za.exe our program folder would contain ...\tools\7za.internal_tool (<< note that .internal_tool is now the extension; user cannot start it with explorer).

What would be the technical, engineering and/or organizational challenges with this approach?

Martin Ba
  • 7,862

1 Answers1

20

There are easier ways to achieve the desired effect for the overwhelming majority of your users.

  1. Clearly write in your documentation that the set of internal tools that get shipped is subject to change without notice. The primary purpose is to have something to point at when a customer does complain about their favorite tool being dropped.
  2. Make sure the tools do not get registered with the start menu or as a handler for a certain file type. That will keep a large portion of your users already from knowing about those internal tools.
  3. Make sure the folder with the tools is not present on the PATH variable. That will prevent the tools from accidentally being found from the command line.

With the previous two steps, you have hidden the tools to the extent that people need to start looking through your installation folders. The next steps are to make it clearer to the people doing that that there is nothing interesting there.

  1. Name the folder containing these tools something like internal to make it clear to those who are too curious for their own good that they cannot rely on the content of that folder.
  2. You might even mark the folder as hidden, so it doesn't even show up for most users.

The only people you won't stop with this are programmers and other people that think they know better. But those will also not be stopped by using a weird extension.

Bart van Ingen Schenau
  • 78,673