Windows – ny reason to change the .exe file association on Windows

anti-malwarefile associationwindows

A lot of viruses/malware these days hijack the .exe file association on Windows. The default value for an exe file is "%1" %*, which is fine. It launches the exe file with any arguments passed to it. However, a virus can change it to "Infected file.exe" "%1" %*, which allows it to block specific programs, pop up warnings, all that junk.

I did get a few reasons for allowing this change, in the comments, but I am only concerned with the average home use desktop computer.

Would it cause any problems if I make the HKCR\.exe and HKCR\exefile keys readonly for home users?

Best Answer

You can do this but simply making it read only won't do, you need to set the user to have deny permissions and will need to have a user on the system that is not denied. As you are talking about doing this in the user hive it will become a little more complicated but it is doable.

Here are some things to consider though:

  • The user needs to actually be denied the ability to make changes, they should only be allowed to read.
  • There needs to be at least one user that can edit the key.
  • Allowing System, Administrators or any other default account or commonly used elevated account the ability to edit will null this as if the malware elevates it would then have write permissions.
  • If an update comes down that checks this key for write you could run in to some rather odd failure messages.
  • To edit the hkcu setting you will need to load the hive from another user's profile to manage it after you lock it down.

This wouldn't be supported and could cause all sorts of odd issues, but most malware isn't programmed to be that smart and this is a very effective way to keep it from finishing the infection.

Related Question