6

I have used the Notepad++ installer several times. However, it caught my eye that in one of the installer windows there is an option of:

Allow plugins to be loaded from %APPDATA%." Below it there is a warning that says "It could cause a security issue. Turn it on if you know what you are doing.

I came across this question whose answer left me with the impression that it has to do with User Access Control (UAC). However, I would like to get an expert voice in the issue.

enter image description here

Community
  • 1
Amadeus Sánchez
  • 163
  • 1
  • 5
  • to enumerate: other apps have read/write perms, so they could steal cached sftp login credentials, cached copies of docs, private path shortcuts, etc. – dandavis Jul 19 '16 at 19:15

1 Answers1

9

The issue is that %APPDATA% can be written to by any application being run by that user (%APPDATA% is different for each user) - any app that is run can add a plugin there, which may do something evil if enabled.

In modern versions of Windows, the installation directories (i.e. Program Files) are protected, only elevated processes/users can write there. That means that if the plugins are coming from there, you can be assured that the user deliberately installed them. (Unless, of course, they are in the habit of clicking yes to every question they are asked, in which case, they are beyond help)

techraf
  • 9,141
  • 11
  • 44
  • 62
crovers
  • 6,311
  • 1
  • 19
  • 29
  • This link may be helpful - https://en.wikipedia.org/wiki/User_Account_Control – Neil Smithline Jul 19 '16 at 20:07
  • 1
    +1 for the environment variable thing. "Unless they are [...] clicking yes to every question they are asked, in wich case, they are beyond help" mmd – marstato Jul 19 '16 at 21:08