A Browser Helper Object (BHO) is a DLL module designed as a plugin for the

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of

Windows Explorer File Explorer, previously known as Windows Explorer, is a file manager application and default desktop environment that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user i ...

, a new instance is launched for each window. BHOs are still supported as of Windows 10, through

Internet Explorer 11 Internet Explorer 11 (IE11) is the eleventh and final version of the Internet Explorer web browser, by now retired. It was initially included in the release of Windows 8.1, Windows RT, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013 ...

, while BHOs are not supported in

Microsoft Edge Microsoft Edge is a Proprietary Software, proprietary cross-platform software, cross-platform web browser created by Microsoft and based on the Chromium (web browser), Chromium open-source project, superseding Edge Legacy. In Windows 11, Edge ...

Implementation

Each time a new instance of Internet Explorer starts, it checks the

Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...

for the key ''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects''. If Internet Explorer finds this key in the registry, it looks for a

CLSID A Universally Unique Identifier (UUID) is a 128-bit label used to uniquely identify objects in computer systems. The term Globally Unique Identifier (GUID) is also used, mostly in Microsoft systems. When generated according to the standard methods ...

key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supports

COM Com or COM may refer to: Computing * COM (hardware interface), a serial port interface on IBM PC-compatible computers * COM file, or .com file, short for "command", a file extension for an executable file in MS-DOS * .com, an Internet top-level ...

Examples

Some modules enable the display of different file formats not ordinarily interpretable by the browser. The

Adobe Acrobat Adobe Acrobat is a family of application software and web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files. The family comprises Acrobat Reader (formerly Reader), Acrobat (former ...

plug-in that allows Internet Explorer users to read

PDF Portable document format (PDF), standardized as ISO 32000, is a file format developed by Adobe Inc., Adobe in 1992 to present documents, including text formatting and images, in a manner independent of application software, computer hardware, ...

files within their browser is a BHO. Other modules add toolbars to Internet Explorer, such as the

Alexa Toolbar Alexa Internet, Inc. was a web traffic analysis company based in San Francisco, California. It was founded as an independent company by Brewster Kahle and Bruce Gilliat in 1996. Alexa provided web traffic data, global rankings, and other inform ...

that provides a list of web sites related to the one you are currently browsing, or the

Google Toolbar Google Toolbar was a web browser toolbar for Internet Explorer, developed by Google. It was first released in 2000 for Internet Explorer 5 and above. Google Toolbar was also distributed as a Mozilla plug-in for Firefox from September 2005 to ...

that adds a toolbar with a Google search box to the browser

user interface In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine fro ...

. The Conduit toolbars are based on a BHO that can be used on

Internet Explorer 7 Windows Internet Explorer 7 (IE7) (codenamed Rincon) is a version of Internet Explorer, a web browser for Windows. It was released by Microsoft on October 18, 2006. It was the first major update to the browser since 2001. It does not support ve ...

and up. This BHO provides a search facility that connects to

Bing Bing most often refers to: * Bing Crosby (1903–1977), American singer * Microsoft Bing, a web search engine Bing may also refer to: Food and drink * Bing (bread), a Chinese flatbread * Bing (soft drink), a UK brand * Bing cherry, a varie ...

search.

Concerns

The BHO

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

exposes

hook A hook is a tool consisting of a length of material, typically metal, that contains a portion that is curved/bent back or has a deeply grooved indentation, which serves to grab, latch or in any way attach itself onto another object. The hook's d ...

s that allow the BHO to access the

Document Object Model The Document Object Model (DOM) is a cros s-platform and language-independent API that treats an HTML or XML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with ...

(DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

(such as adware and spyware) have also been created as BHOs. For example, the Download.ject malware is a BHO that is activated when a secure

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

connection is made to a financial institution, then begins to record keystrokes for the purpose of capturing user passwords. The

MyWay Searchbar Mindspark Interactive Network, Inc. was an operating business unit of IAC known for the development and marketing of entertainment and personal computing software, as well as mobile application development. Mindspark's mobile division acquired ...

tracks users' browsing patterns and passes the information it records to third parties. The C2.LOP malware adds links and popups of its own to web pages in order to drive users to

pay-per-click Pay-per-click (PPC) is an internet advertising model used to drive traffic to websites, in which an advertiser pays a publisher (typically a search engine, website owner, or a network of websites) when the ad is clicked. This differs from more t ...

websites. Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in

and the like, but others run without any change to the interface. This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions. For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.Computer Associates malware entry a
ca.com
retrieved 1/16/2009 In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted an ''Add-on Manager'' in

Internet Explorer 6 Microsoft Internet Explorer 6 (IE6) is a web browser developed by Microsoft for Windows operating systems. Released on August 24, 2001, it is the sixth, and by now discontinued, version of Internet Explorer and the successor to Internet Explorer ...

with the release of Service Pack 2 for

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct successor to Windows 2000 for high-end and business users a ...

(updating it to IE6 Security Version 1, a.k.a. SP2). This utility displays a list of all installed BHOs,

browser extension A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and st ...

s and

ActiveX control ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web. ...

s, and allows the user to enable or disable them at will. There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions. Spybot S&D advanced mode has a similar tool built in to allow the user to disable installed BHO.

References

External links

Sites.google.com

Microsoft sites

''IEHelper-Attaching to Internet Explorer 4.0 by Using a Browser Helper Object''Control Internet Explorer Add-ons with Add-on Manager
n article on Microsoft.com that explains this new feature of Windows XP Service Pack 2
Building Browser Helper Objects with Visual Studio 2005
n October 2006 MSDN article by Tony Schreiner and John Sudds

Listings and examples

CLSID List
aster list created by Tony Kleinkramer, which attempts to record and identify every BHO available (previously located atthe now defunct castlecops.com)also includes Toolbar, Explorer Bar and URLSearchHook GUIDs
C++ example code for a BHOC# example code for a BHO
{{Web interfaces Internet Explorer