What you're seeing is apparently a symptom of the Win32/FakeRean. Briefly,
Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
When Windows is trying to determine what to do with files of any given type, it generally consults the HKLM
branch in the registry for a entry for the desired type. However, if you've ever installed software that asked if you wanted it to be available for you alone, or for all users of the machine, you've seen a feature that's built in to Windows. When you say "Everyone," its registry entries are generally written to the HKLM
hive. If you said you alone, those entries generally go to the HKCU
hive. What Win32/FakeRean
is doing is putting entries in the HKCU
hive which take precedence over those in the HKLM
. For executable files, that can be bad.
Unfortunately, I can't find any documentation for the IsolatedCommand
key (I've consulted both TechNet and MSDN) but from its name, I'd guess that it controls how a process is created. I can tell you that it is normal and required in the HKLM
hive.
I have answered your post about
LegacyDisable
and have some knowledge of the subject.
As this post does not have answers, I'll try, although my answer may not be
satisfactory.
The problem with these registry items is that they are undocumented.
Each new version of Windows may add some more or invalidate others.
Since they are undocumented, Microsoft keeps the freedom of freely modifying
whatever it likes,
so the burden of verifying whether they still work or not falls on the users.
Information about these items comes from Microsoft in all sort of unofficial
channels. Sometimes they are found in SDK samples or on the MSDN,
sometimes in forum answers by Microsoft engineers,
and sometimes from clients of Microsoft that had privileged
access to Microsoft engineers.
I have found one person who has compiled a list of all known such items
in the article
File Type Registration,
each with explanation and a link to documentation.
Not too surprising, most of the items don't have documentation links.
As regarding ProgrammaticAccessOnly
, this article only says
"Removes verb from IContextMenu enumeration?", but has no documentation link.
Searching via google, i have found a
Winaero article
that says:
ProgrammaticAccessOnly does the main trick. It is a special parameter
which tells the Windows Explorer shell that the context menu item can
only be accessed by software programmatically. The user interface gets
locked down, so the command disappears from the context menu!
Together, it seems that these special registry items are recognized by the
IContextMenu interface,
which:
Exposes methods that either create or merge a shortcut menu associated
with a Shell object.
The IContextMenu interface is exported by Shell extension handlers,
chiefly used by Windows Explorer.
In summary, the presence of ProgrammaticAccessOnly
causes the shell
enumeration to ignore the shell item, but programs can still refer to and update
it via the IContextMenu interface or directly by modifying the registry.
Best Answer
The font value is a binary stream of bytes derived from the C structure of the LOGFONT structure.
The declaration of this C structure is:
The third row starts with the 17th byte. You may find this by counting: the LONG type is 4 bytes, while BYTE is 1 byte. The CHAR type is a Unicode string.
More information about the values of the fields may be found in the linked article.