In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that is accessible via COM from e.g. Visual Basic Script:

CreateObject("Photoshop.Application").DoJavaScript("File(""c:/windows/system32/calc.exe"").execute();")

CreateObject("Photoshop.Application").DoJavaScriptFile(JSPath)

where JSPath points to a JavaScript file with the following content:

File("c:/windows/system32/calc.exe").execute();

The “Photoshop.Application” object name (ProgID) can be replaced with “Illustrator.Application”, but the trick doesn’t work with “InDesign.Application” and “Soundbooth.Application”. And of course, you can use ProgID variants of the object names that are version-dependent e.g. “Photoshop.Application.<version>”.

One could potentially package some parts of Creative Suite, register appropriate Registry entries to ensure COM objects can be instantiated and potentially run the whole business logic from there (signed, trusted executables), but it would be cumbersome and it would quite easily detectable – all the processes would have the svchost.exe as a parent process and they use “/Automation” as their command line arguments.

This one was on a back burner for a while too.

C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with it I noticed it accepts URLs hence you can use it to download stuff from the internet. The caveat is that this downloaded data will be stored inside a UTF8-encoded stream embedded inside the XLSX Zip archive.

Example binary data (favicon.ico):

and data downloaded as a stream:

The command line arguments for excelcnv.exe are not documented well. Many examples online refer to “-oice” argument followed by the input and output file names. That’s it. And yeah, this actually works, so since I have already mentioned that input parameter can be an URL, the downloader invocation can be as follows:

excelcnv.exe -oice <URL> <OUPUT>

Still, there is more to discover.

For instance, what the heck is ‘oice’? After googling around I eventually discovered it stands for Office Isolated Conversion Environment.

Other interesting stuff to look at are other, undocumented command line arguments used by excelcnv.exe – these I found so far are as follows:

• -oics – don’t know how it is being used at the moment
• -bcs – you can use it to convert INPUT file to .ods e.g.
  • excelcnv.exe -bcs <XLSX> <ODS>
• -repair
• -o – orientation (for PDF)
• -ps – paper size (for PDF)
• -dps – default paper size (for PDF)
• -scl – scaling option (for PDF)
• -wtp – what to print (for PDF)
• -preview – preview quality (for PDF)
• -pofo – automatic print on file open (for PDF)
• -nafap – use named action setting (for PDF)
• -pglim – page limit (for PDF)
• -rv – unknown (for PDF)

There are probably more, but this is what I explored so far.

The default OUTPUT file type is XLSX. The file format can be changed using a dedicated file extension accepted by the program:

• .xltx
• .xlam
• .xlsm
• .ods
• .xls*
• .pdf
• .xlsx
• .png
• .jpg

but not sure yet how to use all of them as not all of them worked for me (good news is that all the *.xl* work well with “-oice” command).