Does Windows 8 include the Windows Help program (WinHlp32.exe)?

In 2011, Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks.

The functionality of the help file permits a call to the Windows API which, in turn, permits shell code execution and the installation of malicious payload files. This functionality is not an exploit, but there by design.

Here's the malicious WinHelp files (Bloodhound.HLP.1 & Bloodhound.HLP.2) detection heat map:

enter image description here

I would like to know if the Windows Help program exists on my Windows 8 machine by default, because if it does I might need to remove it for security reasons.

Does Windows 8 include the Windows Help program (WinHlp32.exe)?

amiregelz

Posted 2012-11-05T14:15:18.410

Reputation: 6 965

It was my impression that Microsoft discontinued the use of this file format several years ago. They moved to a new similar file format, you should use that format, I seriously doubt this attack vector can even be used currently. – Ramhound – 2012-11-05T14:23:17.597

Answers

C:\Windows\winhlp32.exe installed with Windows 8 is a stub only (~10KB). It does not shows or open .hlp files! You have no need to erase this file.

There is optional update KB917607 (.msu) for Windows 8 which allows to work with .hlp files, but this update may be installed manually by the user only. After installing this update C:\Windows\winhlp32.exe will be more than 100KB (can't say exactly).

Maximus

Posted 2012-11-05T14:15:18.410

Reputation: 19 395

On x64 Windows Enterprise after applying that update, winhlp32.exe is 287,744 bytes. – Mark Allen – 2012-11-05T18:53:45.677

1This is true on Win 7 as well (at least the Win 7 pro 64-bit I have here). Unfortunately, a fair number of programs I use haven't got the memo and updated to the newer help system. Hey, its only been a decade.... – RBerteig – 2012-11-05T23:18:45.690

I edited your post for just get back my downvote and for make it +1. I had misunderstood it but now I realize it that I was wrong. :P – avirk – 2012-11-13T02:36:36.967

1This has been true since Vista, and yea they introduced KB917607 as an optional add-on to restore Winhlp32 if it is needed. – Yuhong Bao – 2012-11-25T06:22:08.133

Clean Install Windows Pro RTM OEM, all the winhlp32 stub does is open the Help and support window. Right click open with or double click gets the support window.

It must be manually installed

enter image description here

Moab

Posted 2012-11-05T14:15:18.410

Reputation: 54 203

That is what I'm talking about in my answer :P – avirk – 2012-11-05T16:27:54.567

2@avirk: Actually Moab's answer confirms what Maximus said, that while the EXE might exist by default, it is just a mere stub and will not actually open .HLP files, and thus cannot act as an attack vector. After installing the update the EXE is replaced with a bigger one that's not a stub and actually works, which is when it could pose a threat if infected .HLPs were opened. – Karan – 2012-11-05T17:03:42.223

I have just tried running it on windows 8 and it works, so it's definitely there.
There are also references to windows 8 on MSDN.

Before you delete it, you might want to check if this "functionality" has been toned down so that it cannot be used maliciously anymore.

Razor

Posted 2012-11-05T14:15:18.410

Reputation: 1 280