wmf flaw being exploited

The flaw in the processing of (yet another) graphics file – the wmf file is actively being exploited to load spyware and other nasties. At the moment there is no patch available and the workaround on the above site is to disable the Windows Picture and Fax Viewer engine by doing the following. (I wish the unregistration was silent as I could then deploy it in a login script) By adding a /s before the %windir% it becomes silent so I *can* deploy. I’ll make a check to see it has already been deployed and then unregister it if it hasn’t)

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:
1.Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).


  1. Martin


    would you mind to share the script you’re using how to check if it’s disabled before unregister the dll?

  2. me

    I actually do the following in the login script. This works as it first ensures that the scripts directory exists then checks for the existence of the wmfdisabled.txt file and if it doesnt exist it runs the uninstall and then creates the file

    if not exist c:\scripts\nul md c:\scripts
    if not exist c:\scripts\wmfdisabled.txt (regsvr32 /s -u %windir%\system32\shimgvw.dll) & (date /t>c:\scripts\wmfdisabled.txt)

Comments are closed.