Running into an interesting situation here, and am hoping to get a second (3rd/4th/100th) set of eyes on this.

I have a requirement to lock down the GUI interaction to certain files. I am testing on one such file, and below is what I have come up with:


[code:1]CLASS MACHINE
CATEGORY !!PlatLockDown

CATEGORY !!DSKAPPS
POLICY !!DisableRestrictedFileTypes
KEYNAME "Software\Classes"

EXPLAIN !!DisableRestrictedFileTypesExplain

PART !!htafile CHECKBOX
KEYNAME "SOFTWARE\Classes\htafile\Shell\Open\Command& quot;
VALUENAME ""
VALUEON "C:\WINDOWS\system32\notepad.exe "%1" %*"
VALUEOFF "C:\WINDOWS\system32\mshta.exe "%1" %*"
DEFCHECKED
END PART
END POLICY

END CATEGORY
END CATEGORY

[strings]
PlatLockDown="Lockdown - PLATINUM"
DSKAPPS="Desktop Application"
DisableRestrictedFileTypes="Execution of Restricted File Types"
DisableRestrictedFileTypesExplain="Execution of certain file types can deliver malicious payloads if not properly screened first.\n\nTo prevent accidental exposure to these risks, change the default action to an application that will not execute the file (such as notepad.exe) and ensure that the Always show extension is enabled for the file type in question."

htafile="HTML Applications as Mobile Code"[/code]

This fails every time with:

Error 51: Unexpected keyword
Found: %1 %*
Expected: KEYNAME, VALUENAME, DEFAULT, REQUIRED, MAXLEN, OEMCONVERT, SOFT, END, EXPANDABLETEXT, CLIENTEXT
The file cannot be loaded
Now, if I remove the quotations around the %1 in the VALUEON/OFF entries, it works. However, you now need to manually edit the registry entry to add in the quotes (defeating the purpose of the template).

So, my question is, what characters (if any) can be used to exempt the necessary quotations around the %1 from being counted as the value encapsulation?


**
Note of interest: The changes that need to be made, have to affect the HKEY_CLASSES_ROOT hive of the registry. I understand that the ADM templates only recognize Machine Configuration (HKLM) and User Configuration (HKCU). To that end, in some earlier research, I found that you can indeed make changes to the HKCR via a sub-key of HKLM (HKLM\Software\Classes).