Technical Specification

  • .SettingContent-ms is a format of file that allow a user to create “shortcuts” to options available on Windows 10 setting pages
  • .SettingContent-ms was introduced in Windows 10 and can be constructed in XML syntax
  • The target application to be launched with .SettingContent-ms can be specified on <DeepLink> tag. The modified .SettingContent-ms will execute program directly without intermediate program.
  • Poisoned .SettingContent-ms files can be delivered via HTTP/S, execution without notification and warning to users.
  • Max character size allowed on <DeepLink> tag is 517 characeters.
<!-- From -->
<?xml version="1.0" encoding="UTF-8"?>
  <SearchableContent xmlns="">
      <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>


  • Monitor an execution of child processes from Office applications
  • Look for existing of .SettingContent-ms outside C:\Windows\ImmersiveControlPanel`
  • Examine command logging is enabled
  • Blocking .SettingContent-ms on the perimeter
  • Changing the file association types for .SettingContent-ms to notepad or something different that does not execute the code