Hi all,

Windows 2003 Server SP1
Microsoft Security Bulletin MS05-049
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)

This is the scenario we're in.
1. We have a scheduler application (VFP7) that polls every 15 seconds for an entry in an Oracle table.
2. For a given entry in the Oracle table, the scheduler app runs our other application (VFP8) using a predefined shortcut file (.lnk) using the ShellExec() Windows API function.
3. We have been running this for several years on Windows NT4 up to Windows 2000 servers.

Now that we implement this environment on a Windows 2003 Server SP1 server the security update above, the OS no longer allows the ShellExec() call. There is no entry logged in any of the three Server Event logs as to why the ShellExec() request was not ran. It seems that the OS just throws away the ShellExec() request but not if I use the Exe name. Meaning:

- ShellExec('ShortcutToOurApp.lnk') && does not work
- ShellExec('OurApp.Exe') && WORKS!

Short of unistalling the Security Update, is there any other way around this without changing existing codes? Can the registry keys be tweaked?