Support

    Documentation

    User guide and IT administration reference for OpenMSG Viewer.

    Getting Started

    Installation

    OpenMSG is distributed exclusively through the Microsoft Store. No manual installer or elevated permissions are required.

    1. Open the Microsoft Store on Windows 10 (version 19041.0+) or Windows 11.
    2. Search for OpenMSG, or follow the link below.
    3. Click Get. The app installs automatically (~15 MB).
    Download from Microsoft Store

    System Requirements

    Operating SystemWindows 10 (version 19041.0 or later) or Windows 11
    Architecturex64
    Disk Space~50 MB installed
    DependenciesNone — fully self-contained (no .NET, no VC++ redistributables required)

    Set as Default App

    To open .msg files automatically with OpenMSG:

    1. Right-click any .msg file in Explorer.
    2. Select Open with → Choose another app.
    3. Select OpenMSG from the list.
    4. Tick Always use this app to open .msg files.

    Using OpenMSG

    Opening a File

    There are three ways to open an MSG file:

    • Double-click — if OpenMSG is set as the default app, the file opens directly.
    • File picker — launch OpenMSG without a file to see the file picker. Click Open MSG File to browse.
    • Command line / file association — pass the file path as the first argument: OpenMSG.exe "C:\path\to\email.msg".

    Email View

    Once a file is open, the main window shows:

    • Header panel — sender name and avatar initials, email address, subject, sent date, To, CC, and BCC recipients.
    • HTML body — rendered in an embedded WebView2 control. Inline images (CID references) are resolved from temporary local files. Plain-text emails are displayed in a pre-formatted view.
    • Attachment panel — lists all attachments with their file-type icon, filename, and size. See the Attachments section for details.
    • Full-screen viewer — the Open in full viewer button opens the email body in a larger pop-out window, inheriting the current window size.

    Light / Dark Theme

    A theme toggle button in the toolbar switches between Light and Dark mode. The choice is persisted across sessions. IT administrators can lock or pre-set the theme via the ForceTheme / DefaultTheme registry values.

    Attachments

    Attachments are extracted to a private temporary folder when the MSG file is opened. The folder is created fresh for each file and deleted automatically when the app closes.

    Opening an Attachment

    Click the attachment button to open it in its default Windows application. If the file extension is not in the safe list, a warning dialog is shown before opening. See Security for how the safe list works.

    Saving an Attachment

    Click the chevron (▾) on the right side of any attachment button to reveal the context menu, then select Save. A standard Windows Save dialog opens, pre-filled with the original filename. The Save option can be disabled by IT via the DisableAttachmentSave registry value.

    Nested MSG Attachments

    MSG files embedded inside other MSG files (forwarded or attached emails) are listed in the attachment panel like any other file. Opening them launches a new instance of OpenMSG.

    Security

    HTML Sanitisation

    Before the email body is passed to the WebView renderer, OpenMSG sanitises the HTML:

    • Inline JavaScript event handlers (onclick, onerror, onload, etc.) are stripped.
    • javascript: hrefs and srcs are replaced with #.
    • <meta http-equiv="refresh"> elements are removed to prevent auto-redirects.
    • Right-click context menus inside the rendered body are disabled.
    • When BlockThirdPartyAssets is enabled, a strict Content Security Policy is injected, preventing external images and resources from loading.
    JavaScript sanitisation is enabled by default and is the recommended setting for all deployments. It can be disabled via AllowJavaScriptInEmails, but doing so is not advised.

    Attachment Extension Allowlist

    Every attachment is checked against a configurable list of safe extensions before being opened. The default list is:

    .pdf .docx .xlsx .pptx .png .jpg .jpeg .gif .txt .csv .rtf .msg

    Attachments outside this list show a warning dialog. With BlockUnsafeAttachments enabled they are blocked entirely. The list is customisable via the SafeAttachments registry value.

    Magic Bytes Verification

    Even for files within the safe extension list, the first bytes of the file are read and compared against known file signatures. A file claiming to be a PDF but containing a Windows PE header (MZ) is blocked and a "Spoofed Attachment Blocked" error is shown. This protects against RTLO (Right-to-Left Override) filename spoofing attacks.

    Unicode Bidirectional Spoofing Protection

    Attachment filenames are scanned for Unicode bidirectional control characters (including U+202E, the Right-to-Left Override) before any extension check is performed. A filename containing these characters is treated as unsafe regardless of the claimed extension.

    IT & Enterprise Configuration

    OpenMSG reads configuration from the Windows Registry. Values are read in priority order — higher entries override lower ones:

    1 — Group Policy (highest priority)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\OpenMSG

    2 — Machine-wide defaults

    HKEY_LOCAL_MACHINE\SOFTWARE\OpenMSG

    3 — Per-user preferences (lowest)

    HKEY_CURRENT_USER\SOFTWARE\OpenMSG
    All values are REG_DWORD for booleans and integers, and REG_SZ for strings. Boolean values use 1 (true) or 0 (false). Integer values are clamped to documented ranges.

    Configuration Reference

    Value NameTypeDefaultDescription
    SafeAttachmentsREG_SZ.pdf,.docx,.xlsx,.pptx,.png,.jpg,.jpeg,.gif,.txt,.csv,.rtf,.msgComma-separated list of allowed attachment extensions. Attachments with other extensions trigger a warning (or are blocked if BlockUnsafeAttachments is set).
    BlockUnsafeAttachmentsDWORD0 (false)When enabled, attachments whose extension is not in SafeAttachments are silently blocked. Users cannot override this.
    ShowAttachmentPopupsDWORD1 (true)When enabled, a confirmation dialog is shown before opening an attachment that is not in the safe extension list. When disabled, the attachment opens without prompting.
    BlockThirdPartyAssetsDWORD0 (false)Injects a strict Content Security Policy into the rendered email, preventing images and other resources from loading from external servers. Improves privacy on sensitive networks.
    BlockNewWindowsDWORD0 (false)Prevents email links and content from opening new browser windows or tabs inside the WebView.
    AllowJavaScriptInEmailsDWORD0 (false)By default, JavaScript event handlers (onclick, onerror, etc.) and javascript: links are stripped from email HTML before rendering. Set to 1 only if your organisation requires JavaScript in emails.
    HideLicensingPromptDWORD1 (true)Hides the commercial-use licensing banner. Defaults to true in current builds.
    DisableRatingPromptDWORD0 (false)Suppresses the periodic prompt asking users to rate the app in the Microsoft Store.
    ForceThemeDWORD0Locks the UI to a specific theme. 0 = follow user/system preference, 1 = always Light, 2 = always Dark. The in-app theme toggle is hidden when this is set.
    DefaultThemeDWORD0Sets the initial theme on first launch. 0 = follow system, 1 = Light, 2 = Dark. Users can still toggle unless ForceTheme is also set.
    HideThemeToggleDWORD0 (false)Removes the light/dark theme toggle button from the toolbar.
    DisableTelemetryDWORD0 (false)Disables all PostHog usage analytics. No usage events are sent when enabled.
    DisableCrashReportingDWORD0 (false)Disables BugSplat crash reporting. Crashes will not generate reports sent to the developer.
    ExtractionPathREG_SZ""Overrides the folder used for temporary attachment extraction. Defaults to the app's sandboxed temporary folder. Useful in locked-down environments where the default temp folder is restricted.
    DefaultWindowWidthDWORD1200Initial window width in logical pixels. Clamped between 400 and 4000. DPI scaling is applied automatically.
    DefaultWindowHeightDWORD770Initial window height in logical pixels. Clamped between 300 and 3000. DPI scaling is applied automatically.
    AppTitleOverlayREG_SZ""Replaces the window title bar text. Useful for white-label or rebranded enterprise deployments.
    DisableAttachmentSaveDWORD0 (false)Removes the Save option from the attachment context menu. Users can still open attachments in their default app.
    SupportEmailREG_SZ[email protected]Email address shown in error dialogs and the support banner. Override to route support requests to your own IT helpdesk.
    HideSupportMessageDWORD0 (false)Hides the support contact message shown in the toolbar and in some error dialogs.
    HideLargeEmailWarningDWORD0 (false)Suppresses the warning shown when an unusually large email body is loaded.

    Group Policy Deployment

    Values written to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\OpenMSG take precedence over all others and cannot be overridden by the user. Use this path for enforced IT policy. Example PowerShell to lock the theme to Dark and disable telemetry across all users:

    # Run as Administrator

    $path = "HKLM:\SOFTWARE\Policies\OpenMSG"

    New-Item -Path $path -Force | Out-Null

    Set-ItemProperty -Path $path -Name "ForceTheme" -Value 2 -Type DWord

    Set-ItemProperty -Path $path -Name "DisableTelemetry" -Value 1 -Type DWord

    Set-ItemProperty -Path $path -Name "SupportEmail" -Value "[email protected]" -Type String

    Privacy & Telemetry

    Usage Analytics (PostHog)

    OpenMSG sends anonymous usage events to PostHog to help prioritise development. Events include actions such as app launched, msg file opened, attachment opened, and theme toggled.

    Each event includes:

    • A hashed, anonymous device identifier (SHA-256 of the Windows MachineGuid)
    • App version and OS version
    • Session ID (random UUID, reset each launch)
    • Corporate domain (UPN domain suffix only, not usernames or full addresses)
    Email content, attachment content, filenames, sender details, and recipient addresses are never included in any telemetry event.

    Telemetry can be disabled by setting DisableTelemetry = 1 in the registry. See IT & Enterprise Configuration.

    Crash Reporting (BugSplat)

    If the application crashes, a report containing the stack trace, OS version, and app version is sent to BugSplat. Crash reports do not contain email content or attachments.

    Crash reporting can be disabled by setting DisableCrashReporting = 1 in the registry. See BugSplat's privacy policy at bugsplat.com/privacy.

    Troubleshooting

    File Is Empty or Truncated

    Cause

    The .msg file is less than 512 bytes, was not fully downloaded, or was interrupted during a copy operation.

    Fix

    Re-download or re-save the file. If the file is on a network share, verify the copy completed successfully.

    Cloud File Access Error

    Cause

    The file is an OneDrive or SharePoint Files On-Demand placeholder that has not been downloaded to disk yet.

    Fix

    Right-click the file in Explorer and choose "Always keep on this device", then try opening it again. Make sure OneDrive is signed in and running.

    Unrecognised File Format

    Cause

    The file does not contain a valid Compound File Binary (.msg) structure. It may be an EML, RTF, or other format saved with a .msg extension, or the file may be corrupt.

    Fix

    Ask the sender to re-export the email directly from Outlook as a .msg file. Forwarding as an attachment also works.

    Access Denied

    Cause

    The operating system denied read access to the file. This can happen if the file is locked by Outlook, stored in a restricted folder, or has restrictive NTFS permissions.

    Fix

    Close Outlook if it is open. Move the file to a location you own (e.g. Downloads) and try again.

    File Picker Unavailable

    Cause

    OpenMSG is running with elevated (Administrator) privileges. The Windows file open picker is blocked for elevated processes.

    Fix

    Close OpenMSG and relaunch it without right-clicking "Run as administrator". Normal user privileges are all that is required.

    Invalid Encrypted or Signed Email

    Cause

    The email was digitally signed or encrypted (S/MIME) but the cryptographic signature is malformed or uses an algorithm OpenMSG does not support.

    Fix

    Ask the sender to forward the message as a plain email without encryption, or to re-send without a digital signature.

    Spoofed Attachment Blocked

    Cause

    The attachment's file contents do not match what its extension claims (magic bytes mismatch). This is a security protection against disguised executables.

    Fix

    Contact the sender to verify the file is legitimate and ask them to re-send it.

    Still stuck? Email [email protected] — include your Windows version, app version (visible in the window title bar), and a description of the issue.