Analysis of Microsoft's AutoComplete Function
An Examination of this Function within Internet Explorer
by Thomas Rude, CISSP
For anyone using Internet Explorer (IE) you may have noticed a feature allowing IE to essentially 'fill in the blanks' for you in some control boxes (such as URL, user name, password, etc.). This feature is a function called 'AutoComplete' and is part of the Intellisense Technology incorporated into IE by Microsoft. IntelliSense has been included in IE4 and all subsequent versions. Their are two benefits behind this function: one being a time savings (through reducing the time necessary to input data) and the other being a memory savings (through remembering past strings so you do not have to).
As a high level overview, AutoComplete works in the following manner: as you type in a string previous entries are pulled from a storage area and you may elect to simply select one of these entries. By selecting an entry, you no longer have to input the string because AutoComplete finishes entering the string for you. For example, you begin entering the following URL in the Address Edit Control Box within Internet Explorer:
After the letter 'k' has been entered, AutoComplete attempts to finish the string by pulling all "http://www.k***" from the storage area. The possible entries will be displayed in a drop down box:
...and so on. By moving the mouse to the entry you wish to select and clicking, AutoComplete finishes entering the string into the Address Edit Control Box. This is dependent, of course, on AutoComplete being ENABLED.
In order to better understand the AutoComplete function, I have decided to present the following information. This is a low level analysis of AutoComplete, and it is based on a few hours of my digging through my Registry, Applications, and the Microsoft web site - not to mention a cans of Mt. Dew! Please feel free to contact me if you have any information you would like to share as I do plan on a revision in the future.
To start, Edit Controls are used by the MS Win32 API. They are used as a means of communication between you (the user) and the application. This communication is facilitated via the creation of control and dialog boxes. These boxes may include the Address Box in Internet Explorer, the Open Box in START, RUN, and a input area on a form within a web site (such as 'home address').
The information pulled by AutoComplete is stored in the AutoComplete Data Store ('autoDS' as I call it). The autoDS is stored within the Windows operating system in an encrypted form. More specifically, this autoDS information is stored with the user's profile. For example, if UserBOB logs on to a PC that has his profile (AutoComplete Enabled) and surfs the web, using AutoComplete to fill in information, and then logs off the computer, that information is stored in UserBOB's autoDS. So, if UserOLLIVER comes along and logs on to the same computer, UserOLIVER will not be able to pull UserBOB's AutoComplete information.
The AutoComplete function simply expands partial strings into complete strings as they are entered into an Edit Control Box. Our example above deals with the Address Edit Control Box embedded in the Internet Explorer toolbar. As the user enters in a URL in that control box the AutoComplete function expands the string based on the characters entered into 1 or more URLs (which are stored in the autoDS). According to Microsoft, there are two sources for the AutoComplete function:
1) CLSID_ACLHistory = matches against the URL list in the user's History list
2) CLSID_ACLMRU = matches against the URL list in the user's Recently Used list
There are 3 components required by the AutoComplete function:
1) AutoCompletion Client = any window (example; a dialog box) that hosts an EDIT CONTROL
2) AutoCompletion Object = CLSID_AutoComplete is provided by the Windows operating system as the object that handles the user interface, parsing, and the background thread management.
3) AutoCompletion List Object = could be any list specified by the programmer. This object provides the list of available strings to the AutoCompletion Object.
AutoComplete is not just available to the Address box within Internet Explorer. This technology is available to all web programmers in their design of forms. Each programmer can choose what information may be saved to the autoDS, which is why smart programming and an awareness of security is of essence. For example, you probably do not want your credit card number to be remembered and stored (but it could be)!
One other note I would like to make: there is a parameter used in the initialization of the AutoComplete Object -> pwszRegKeyPath
.... pwszRegKeyPath points to a string that gives the Registry path to be used in the AutoComplete function. The VALUE NAME is included in the string. AutoComplete looks first to \HKEY_CURRENT_USER\ in the Registry for the path. If the path is NOT found, AutoComplete then looks in \HKEY_LOCAL_MACHINE for the path. This makes sense as the autoDS contains the string information and is connected with the user profile. Given that there may be more than 1 profile on the system, the \HKEY_CURRENT_USER\ hive would seem the logical choice for the pointer to the path that contains the AutoComplete information.
If you are curious as to the the nuts and bolts, here is a way to see it all:
1) fire up STRACE to watch the system calls (on an NT system)
2) fire up windump (or another win32 sniffer) and log the packets to a file for later parsing
3) fire up REGMON (sysinternals), configure a filter, and watch the results
4) fire up handleEx (sysinternals) and watch the files, registry keys and DLLs
As a *hint* watch the following:
Back to Papers