The features are disabled by changing the corresponding values in the system registry. To run Registry Editor, type regedit at the Start/Run prompt.

The registry values used to disable the "dangerous" features are located under the key

HKEY_LOCAL_MACHINE\SOFTWARE\Persits Software\AspUpload3

By default, all the registry values under this key are set to 0 (enabled). Setting them to 1 (or any non-zero value) would disable the corresponding feature.

The following table lists all AspUpload methods that can be disabled via registry settings, and corresponding registry values that disable them:

Method(s)	Registry Value	Comments
UploadManager.Save	DisableSave	When this main method is disabled, users will be forced to use the SaveVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.
UploadedFile.SaveAs	DisableFileSaveAs	When this method is disabled, users will be forced to use the File.SaveAsVirtual method which accepts a virtual, rather than physical, directory as an argument. This way users will be confined to their own virtual directory and subdirectories.
UploadManager.LogonUser UploadManager.RevertToSelf	DisableLogonUser	Disables user impersonation functionality.
UploadedFile.AllowAccess UploadedFile.DenyAccess UploadedFile.RevokeDenial UploadedFile.RevokeAllowance UploadedFile.SetOwner	DisableACL	Disables permission manipulation functionality.
UploadManager.CopyFile UploadedFile.Copy	DisableFileCopy	When these methods are disabled, the users will be forced to use UploadedFile.CopyVirtual.
UploadManager.RegisterServer	DisableRegisterServer	Disables ActiveX registration functionality.
UploadManager.RemoveDirectory	DisableRemoveDirectory	Disables directory removal functionality.
UploadManager.DeleteFile	DisableFileDelete	Disables file deletion functionality. UploadedFile.Delete is not affected by this setting, however. If Upload.OpenFile is also disabled, a user will only be able to delete newly uploaded files.
UploadManager.SendBinary	DisableSendBinary	Disables file download functionality.
UploadManager.Directory	DisableDirectoryListing	Disables directory listing functionality.
UploadManager.OpenFile	DisableOpenFile	With OpenFile, an UploadedFile object can be created from an arbitrary file on the hard drive, and methods such as File.Delete can be called. Disabling this method limits a user to newly uploaded files only.

• ActiveX registration. Using this feature, a malicious user can place a trojan-horse ActiveX DLL on the server, register and invoke it with simple ASP script.
• Directory Listing. This feature allows users to browser around the entire web server's hard drive and download any files.
• Account impersonation.
• File deletion and directory removal.

After installing AspUpload on a shared Web server, it is recommended that most or all of the potentially dangerous features be disabled, or at least some of the code samples be deleted from the installation directory. This includes:

\Samples\09_misc\DirectoryListing.asp
\Samples\09_misc\Download.asp
\Samples\09_misc\DeleteFiles.asp