Add-In Security


In Visual Studio 2013, add-ins are deprecated. We recommend that you upgrade your add-ins to VSPackage extensions. For more information, see FAQ: Converting Add-ins to VSPackage Extensions.

So that you can prevent malicious add-ins from automatically activating, Visual Studio provides settings on the Environment, Add-in Security page in the Tools, Options dialog box. Also on this page, you can restrict the number of folders in which Visual Studio searches for .addin registration files.

Add-In Security Settings

The settings on the Add-in Security page include:

  • Allow add-in components to load.   When this check box is selected, add-ins can load. Selected by default.

  • Allow add-in components to load from a URL.   When this check box is selected, add-ins can load from external websites. If an add-in cannot load for some reason, then it cannot load from the web. This setting controls only the loading of the add-in DLL. The .addin registration files must always be located on the local system.

Default Search Locations for .addin Files

In addition to the security settings, the Add-in Security page lists folders in which to search for .addin registration files. By default, these path tokens are included:







When Visual Studio searches for .addin files, it uses the following paths in place of the tokens:






%ALLUSERSPROFILE% (defined by the operating system)




%USERPROFILE%\AppData\Roaming\Microsoft\Visual Studio\<Version>\

Or %USERPROFILE%\AppData\Local\Microsoft\Visual Studio\<Version>\


%ProgramData%\Microsoft\Visual Studio\<Version>\


<My Documents>\Visual Studio 2013\


Some of these default paths may not exist on your system.

You can remove a predefined token by selecting it and then choosing Remove.

You can add a folder to the search list by choosing Add and then specifying it in the Browse for Folder dialog box. For more information, see Add-In Registration.

Restricting Modifications on the Add-in Security Page

An administrator who changes the settings on the page Add-in Security can write values to any key under HKEY_LOCAL_MACHINE\, which modifies those settings for all users of that computer.

To prevent unauthorized modification of the settings on the Add-in Security page, an administrator can set the AllowUserToModifySecuritySettings value in the system registry. This value is stored under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ key. If the value is set to 0, then the options on the Add-in Security page cannot be changed except by an administrator.

The settings for the Add-in Security page are stored in the registry under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ and HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ keys. Visual Studio first looks under HKEY_LOCAL_MACHINE\ for key values and then under HKEY_CURRENT_USER. Under this design, an administrator can enable the loading of add-ins, but a user can still disable loading; however, if an administrator has disabled loading, a non-administrator user cannot enable them.

If the loading of add-ins is enabled, then the folders specified under the HKLM\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ and HKCU\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ keys are searched for .addin files.

See Also


Best Practices for Security in Automation

Add-In Registration