We recommend using Visual Studio 2017

Add-In Security

Note Note

In Visual Studio 2013, add-ins are deprecated. We recommend that you upgrade your add-ins to VSPackage extensions. For more information, see FAQ: Converting Add-ins to VSPackage Extensions.

So that you can prevent malicious add-ins from automatically activating, Visual Studio provides settings on the Environment, Add-in Security page in the Tools, Options dialog box. Also on this page, you can restrict the number of folders in which Visual Studio searches for .addin registration files.

The settings on the Add-in Security page include:

  • Allow add-in components to load.   When this check box is selected, add-ins can load. Selected by default.

  • Allow add-in components to load from a URL.   When this check box is selected, add-ins can load from external websites. If an add-in cannot load for some reason, then it cannot load from the web. This setting controls only the loading of the add-in DLL. The .addin registration files must always be located on the local system.

In addition to the security settings, the Add-in Security page lists folders in which to search for .addin registration files. By default, these path tokens are included:







When Visual Studio searches for .addin files, it uses the following paths in place of the tokens:






%ALLUSERSPROFILE% (defined by the operating system)




%USERPROFILE%\AppData\Roaming\Microsoft\Visual Studio\<Version>\

Or %USERPROFILE%\AppData\Local\Microsoft\Visual Studio\<Version>\


%ProgramData%\Microsoft\Visual Studio\<Version>\


<My Documents>\Visual Studio 2013\

Note Note

Some of these default paths may not exist on your system.

You can remove a predefined token by selecting it and then choosing Remove.

You can add a folder to the search list by choosing Add and then specifying it in the Browse for Folder dialog box. For more information, see Add-In Registration.

An administrator who changes the settings on the page Add-in Security can write values to any key under HKEY_LOCAL_MACHINE\, which modifies those settings for all users of that computer.

To prevent unauthorized modification of the settings on the Add-in Security page, an administrator can set the AllowUserToModifySecuritySettings value in the system registry. This value is stored under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ key. If the value is set to 0, then the options on the Add-in Security page cannot be changed except by an administrator.

The settings for the Add-in Security page are stored in the registry under the HKEY_LOCAL_MACHINE\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ and HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\11.0\AutomationProperties\ keys. Visual Studio first looks under HKEY_LOCAL_MACHINE\ for key values and then under HKEY_CURRENT_USER. Under this design, an administrator can enable the loading of add-ins, but a user can still disable loading; however, if an administrator has disabled loading, a non-administrator user cannot enable them.

If the loading of add-ins is enabled, then the folders specified under the HKLM\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ and HKCU\SOFTWARE\Microsoft\VisualStudio\11.0\AutomationOptions\LookInFolders\ keys are searched for .addin files.