Geoff Chappell - Software Analyst
MSHTML exposes a handful classes through its exported DllGetClassObject function. Given that they are properly listed in the registry, these are the MSHTML classes for which anyone who knows the corresponding CLSID may obtain a class factory by calling the well-documented OLE32 function CoGetClassObject or get an instance of the class created in one step by calling the CoCreateInstance function. Put another way, these are the MSHTML classes that would not have noncreatable in their IDL declarations.
Since these are the MSHTML classes that have the most external presence, one might think that each would be described in the MSHTML type library and be documented somewhere in the Windows SDK, if only in some header. That would be naive. The ones that are highlighted in the lists below are so much undocumented that the SDK doesn’t even declare a corresponding CLSID symbol. Of course, this doesn’t necessarily mean that these classes actually are undocumented, just that I haven’t found where. To compensate, I try to be generous: that a class is not highlighted doesn’t mean that the class is documented to any depth that might begin to seem useful even to the brightest of programmers. For some of these classes, the CLSID symbol’s existence seems to be the whole of what Microsoft discloses.
Some more classes are exposed indirectly. The classes in question each correspond to a property page. As to which classes and which property pages, MSHTML lets this be decided elsewhere. The list below is from IEFRAME in Windows Vista:
The steps by which MSHTML identifies a property-page class begin with getting an instance created of the DocHostUIHandler class. This class is implemented in SHDOCVW historically but in IEFRAME for Windows Vista. It has an IOleCommandTarget interface, supporting the command group CGID_DocHostCommandHandler. The command with 0x36 as its ID takes a CLSID for input. If it returns a URL moniker then the CLSID represents a property-page class. Creating an instance of any one of these property classes and querying for its IPropertyPage interface is then effectively the same as calling the documented MSHTML function CreateHTMLPropertyPage but with an IMoniker implemented by IEFRAME to represent a standard page.
The last class that MSHTML exposes through DllGetClassObject must be listed separately because the class object does not implement IUnknown, let alone IClassFactory:
Whatever its reason for existence, it would seem to be accessible from outside MSHTML.DLL only by calling DllGetClassObject directly, i.e., without the usual COM machinery.
Of particular interest are those MSTHTML classes that implement an IDispatch interface to expose one or more of the class’s member functions for scripting. These members can then be executed at the direction of scripts on web pages. Script code works with a named property, which may also be referred to as a method, object, collection or event.
The classes listed below are all those for which MSHTML defines a class descriptor through which to access at least one string table. The class descriptor is a structure, named as CLASSDESC in the MSHTML symbol file, that provides many definitive pieces of information about a class, but it is the string table that associates interface members, as entries in a class’s virtual function tables, with the names that these members are to have as scripted properties. For reasons unknown, some classes have descriptors that are trivial or very nearly so: if only temporarily, these are included below but with the observation that they have no string table.