Add-In Security
Note
In Visual Studio 2013, add-ins are deprecated. We recommend that you upgrade your add-ins to VSPackage extensions. For more information, see FAQ: Converting Add-ins to VSPackage Extensions.
So that you can prevent malicious add-ins from automatically activating, Visual Studio provides settings on the Environment, Add-in Security page in the Tools, Options dialog box. Also on this page, you can restrict the number of folders in which Visual Studio searches for .addin registration files.
Add-In Security Settings
The settings on the Add-in Security page include:
Allow add-in components to load. When this check box is selected, add-ins can load. Selected by default.
Allow add-in components to load from a URL. When this check box is selected, add-ins can load from external websites. If an add-in cannot load for some reason, then it cannot load from the web. This setting controls only the loading of the add-in DLL. The .addin registration files must always be located on the local system.
Default Search Locations for .addin Files
In addition to the security settings, the Add-in Security page lists folders in which to search for .addin registration files. By default, these path tokens are included:
%ALLUSERSDOCUMENTS%
%ALLUSERSPROFILE%
%APPDATA%
%VSAPPDATA%
%VSCOMMONAPPDATA%
%VSMYDOCUMENTS%
When Visual Studio searches for .addin files, it uses the following paths in place of the tokens:
Token |
Path |
|---|---|
%ALLUSERSDOCUMENTS% |
%PUBLIC%\Documents\ |
%ALLUSERSPROFILE% |
%ALLUSERSPROFILE% (defined by the operating system) |
%APPDATA% |
%USERPROFILE%\AppData\ |
%VSAPPDATA% |
%USERPROFILE%\AppData\Roaming\Microsoft\Visual Studio\<Version>\ Or %USERPROFILE%\AppData\Local\Microsoft\Visual Studio\<Version>\ |
%VSCOMMONAPPDATA% |
%ProgramData%\Microsoft\Visual Studio\<Version>\ |
%VSMYDOCUMENTS% |
<My Documents>\Visual Studio 2013\ |
Note
Some of these default paths may not exist on your system.
You can remove a predefined token by selecting it and then choosing Remove.
You can add a folder to the search list by choosing Add and then specifying it in the Browse for Folder dialog box. For more information, see Add-In Registration.
Restricting Modifications on the Add-in Security Page
An administrator who changes the settings on the page Add-in Security can write values to any key under HKEY_LOCAL_MACHINE\, which modifies those settings for all users of that computer.
To prevent unauthorized modification of the settings on the Add-in Security page, an administrator can set the AllowUserToModifySecuritySettings value in the system registry. This value is stored under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ key. If the value is set to 0, then the options on the Add-in Security page cannot be changed except by an administrator.
The settings for the Add-in Security page are stored in the registry under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ and HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ keys. Visual Studio first looks under HKEY_LOCAL_MACHINE\ for key values and then under HKEY_CURRENT_USER. Under this design, an administrator can enable the loading of add-ins, but a user can still disable loading; however, if an administrator has disabled loading, a non-administrator user cannot enable them.
If the loading of add-ins is enabled, then the folders specified under the HKLM\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ and HKCU\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ keys are searched for .addin files.