Policy on EXEs made by UPX, AutoHotkey or AutoIt

EXEs compressed with UPX:

Do not use UPX to compress EXEs that you upload to the forum.

If you use tools/languages which always generate UPX-compressed files, you can uncompress the result using the UPX command-line:

upx.exe -d example.exe

A large number of virus checkers report UPX-compressed EXE files as possible viruses. Although these are usually false positives it still causes problems for people who download the files. (It also wastes the admins' time when checking the files and when performing site backups.)

It seems that anti-virus tools are never going to come to terms with UPX, as it's been a problem for years and shows no signs of going away. Since the space saved by UPX compression has not been meaningful since we stopped using floppy disks, it will make life easier for everyone if we just stop using it, at least for files uploaded to the forum.

EXEs compiled from AutoHotkey or AutoIt scripts:

AutoHotkey and AutoIt are two tools which you can use to automate Windows GUI programs and perform other scripting tasks.

Posting scripts made with these tools is fine but we do not allow scripts that have been compiled into executable code (.exe files) to be posted unless the source script is also provided.

As a convenience to those who don't want to install AutoHotkey or AutoIt, you can post compiled scripts but if you do so then you must also post the source code.

Please note that we have nothing against AutoHotkey and AutoIt; they are great tools. There are two reasons for the rule about posting compiled versions of their scripts:

  1. Performance: If someone wants to run multiple scripts posted here, or integrate a script from here into their existing configuration, then it is much more efficient to load the scripts into AutoHotkey or AutoIt instead of running standalone compiled versions of them. (The standalone versions essentially include and run an extra copy of AutoHotkey or AutoIt.)

    This is not to mention the benefit of fewer icons cluttering up the taskbar notification area.

  2. Security: It is very easy to create malicious code using either program because they are very high-level, powerful scripting tools. At the same time, without being able to see the source to the programs it is difficult to know exactly what they will do. In some ways it is more difficult than with other types of executable.

    For example, all compiled scripts will load WinSock DLLs and other potentially suspicious components even when the scripts themselves do nothing with the network. Without extensive analysis it is difficult to tell if a compiled script is innocent or if it is going to send people's private data over the Internet.

    Compiled scripts also tend to be UPX compressed which sets off false positives in some virus checkers and makes it more time consuming for admins to work out if there is really a problem with the executable or not. (See our policy on UPX, above.)

    Scripts compiled for AutoHotkey can, unless protected, be decompiled using Exe2Ahk.exe but we still require that you post the source code for such scripts for the performance reasons outlined above.

There will not be any exceptions to this rule. We do not believe that these scripts' source code is novel enough for anyone to care about protecting their coding secrets (unless there is something they want to hide) and, even if you are someone we know and trust, the performance and taskbar-clutter issues with compiled scripts are still unwanted.

The FAQ above has been updated to include a new policy on UPX-compressed EXE files. In short, don't use UPX from now on. It causes problems for no real benefit.