Windows XP And Windows Server 2003 Zero-Day Vulnerability

Martin Brinkmann
Jun 16, 2010
Updated • Dec 11, 2014
Security, Windows XP

A vulnerability in the component Windows Help and Support Center was discovered recently that can be exploited for remote code execution on affected systems. Only Windows XP and Windows Server 2003 are affected by it though and not newer versions of the operating system.

Microsoft is aware of limited targeted attacks that exploit the vulnerability which is reason enough to patch the issue right away on affected PCs. These attacks use specially crafted links on web pages or email messages with the hcp:// prefix instead of http://.

The HCP protocol is used to execute links in the Help and Support Center. The threat is caused by the Windows Help and Support Center not properly validating links that use the HCP protcol.

Attackers who successfully exploit the vulnerability can take complete control of the system if the user is logged in with administrative privileges. The vulnerability can only be exploited if the user clicks on a prepared link though.

Microsoft has created a Fix-It script that can be used to protect Windows XP and Windows Server 2003 systems from the vulnerability.

The script disables the threat by unregistering the HCP protocol on the target system.

A manual workaround was also posted

  • 1. Click Start, click Run, type Regedit in the Open box, and then click OK
  • 2. Locate and then click the following registry key:
  • 3.Click the File menu and select Export
  • 4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save. Note This will create a backup of this registry key in the My Documents folder by default.
  • 5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

Using a Managed Deployment Script

  • 1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:Regedit.exe /e HCP_Protocol_Backup.regHKEY_CLASSES_ROOT\HCP
  • 2. Next, save the following to a file with a .REG extension, such as Disable_HCP_Protocol.reg:Windows Registry Editor Version 5.00[-HKEY_CLASSES_ROOT\HCP]
  • 3. Run the above registry script on the target machine with the following command from an elevated command prompt: Regedit.exe /s Disable_HCP_Protocol.reg

Disabling the HCP protocol will break all links, be they local or remote, that use the HCP procotol.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. tommyb said on July 1, 2010 at 11:55 pm

    typographic error in your solution. there is no such key as HKEY_CLASSES_ROOTHCP. You left our an important \. according to microsoft, the key is HKEY_CLASSES_ROOT\HCP (at

    Also, worth noting that the fix-it tool microsoft provides does not work. Look for the key in regedit. Run the tool. Note in regedit that the key is still present…

    1. Martin said on July 2, 2010 at 12:05 am

      I have not forgotten them, WordPress did not like them. Thanks for letting me know, code has been changed, now they are displayed.

  2. dwarf_tossr said on June 16, 2010 at 7:27 pm

    HCP protocol was disabled, and nothing of value was lost. Great and informative post.

  3. anon said on June 16, 2010 at 1:12 pm

    URLProtocolView from NirSoft is much simpler:

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.