From 549b32e273a5fd715fc357a1695f4870271de021 Mon Sep 17 00:00:00 2001
From: moooyo <42196638+moooyo@users.noreply.github.com>
Date: Wed, 18 Mar 2026 13:35:45 +0800
Subject: [PATCH] [Security][Hosts] Remove open method lookup and hardcode the
 notepad to open host editor (#46194)

<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
**This is a security issue fix**

In Hosts Editor module, we support to open the hosts file through user's
default editor.
The way to find the editor is that we will read a registry key and use
the value as a parameter to call Process.Start.

In most case, it works well. But Hosts editor module will launch as
admin permission. But the registry value can be modified in user 's
permission (without UAC request).

So, the malware may change the registry value and if user click the open
button. May call the dangerous command which written in registry.


<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist

- [x] Closes: #46195
<!-- - [ ] Closes: #yyy (add separate lines for additional resolved
issues) -->
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx

<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments

<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed

---------

Co-authored-by: Yu Leng (from Dev Box) <yuleng@microsoft.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../Hosts/HostsUILib/Helpers/HostsService.cs  | 60 ++-----------------
 1 file changed, 6 insertions(+), 54 deletions(-)

diff --git a/src/modules/Hosts/HostsUILib/Helpers/HostsService.cs b/src/modules/Hosts/HostsUILib/Helpers/HostsService.cs
index 9b16e04f20..0746f93f5c 100644
--- a/src/modules/Hosts/HostsUILib/Helpers/HostsService.cs
+++ b/src/modules/Hosts/HostsUILib/Helpers/HostsService.cs
@@ -16,7 +16,6 @@ using System.Threading.Tasks;
 using HostsUILib.Exceptions;
 using HostsUILib.Models;
 using HostsUILib.Settings;
-using Microsoft.Win32;
 
 namespace HostsUILib.Helpers
 {
@@ -223,64 +222,17 @@ namespace HostsUILib.Helpers
 
         public void OpenHostsFile()
         {
-            var notepadFallback = false;
-
             try
             {
-                // Try to open in default editor
-                var key = Registry.ClassesRoot.OpenSubKey("SystemFileAssociations\\text\\shell\\edit\\command");
-                if (key != null)
-                {
-                    var commandPattern = key.GetValue(string.Empty).ToString(); // Default value
-                    var file = null as string;
-                    var args = null as string;
-
-                    if (commandPattern.StartsWith('\"'))
-                    {
-                        var endQuoteIndex = commandPattern.IndexOf('\"', 1);
-                        if (endQuoteIndex != -1)
-                        {
-                            file = commandPattern[1..endQuoteIndex];
-                            args = commandPattern[(endQuoteIndex + 1)..].Trim();
-                        }
-                    }
-                    else
-                    {
-                        var spaceIndex = commandPattern.IndexOf(' ');
-                        if (spaceIndex != -1)
-                        {
-                            file = commandPattern[..spaceIndex];
-                            args = commandPattern[(spaceIndex + 1)..].Trim();
-                        }
-                    }
-
-                    if (file != null && args != null)
-                    {
-                        args = args.Replace("%1", HostsFilePath);
-                        Process.Start(new ProcessStartInfo(file, args));
-                    }
-                    else
-                    {
-                        notepadFallback = true;
-                    }
-                }
+                var notepadPath = Path.Combine(
+                    Environment.GetFolderPath(Environment.SpecialFolder.Windows),
+                    "System32",
+                    "notepad.exe");
+                Process.Start(new ProcessStartInfo(notepadPath, HostsFilePath));
             }
             catch (Exception ex)
             {
-                LoggerInstance.Logger.LogError("Failed to open default editor", ex);
-                notepadFallback = true;
-            }
-
-            if (notepadFallback)
-            {
-                try
-                {
-                    Process.Start(new ProcessStartInfo("notepad.exe", HostsFilePath));
-                }
-                catch (Exception ex)
-                {
-                    LoggerInstance.Logger.LogError("Failed to open notepad", ex);
-                }
+                LoggerInstance.Logger.LogError("Failed to open notepad", ex);
             }
         }