Windows – the “IsolatedCommand” registry value? What purpose does it serve

windows-registry

I have been searching for explanation for this undocumented registry key but all I could find was some reference to taking ownership or running as Administrator, without really explaining what that particular registry value (not key) is designed for.

I also found this link that suggests that:

HKEY_CURRENT_USER\Software\Classes.exe\
shell\open\command | IsolatedCommand =
""%1? %*"

is related to spyware. Is this true? If so, how?

Any idea what this "IsolatedCommand" value is about, and why would Microsoft create a registry value that would help spyware?

Best Answer

What you're seeing is apparently a symptom of the Win32/FakeRean. Briefly,

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

When Windows is trying to determine what to do with files of any given type, it generally consults the HKLM branch in the registry for a entry for the desired type. However, if you've ever installed software that asked if you wanted it to be available for you alone, or for all users of the machine, you've seen a feature that's built in to Windows. When you say "Everyone," its registry entries are generally written to the HKLM hive. If you said you alone, those entries generally go to the HKCU hive. What Win32/FakeRean is doing is putting entries in the HKCU hive which take precedence over those in the HKLM. For executable files, that can be bad.

Unfortunately, I can't find any documentation for the IsolatedCommand key (I've consulted both TechNet and MSDN) but from its name, I'd guess that it controls how a process is created. I can tell you that it is normal and required in the HKLM hive.

Related Solutions

Windows Registry – Purpose of HKCU\software\microsoft\windows\currentversion\explorer\fileexts

I think the "best practice" is to use the bundled "Default Programs" setting with Windows, or a third-party tool like FileTypesMan or ASHociation. FileTypesMan also includes a command-line interface, appropriate for using it on client computers remotely (if need be).

Explorer or TextPad crashing when a file is attempted to be opened (say via the right click menu, or send-to, or drag & drop, or double click).

The application shouldn't crash if the association wasn't set up correctly, as the application wouldn't automatically open to begin with. It seems like there's another underlying issue with your operating system configuration, or the TextPad application itself.

"this is what all keys related to file types are and do, and how Microsoft intends that they be used for coherent cooperation and proper function of a users system."

It's unlikely you'll find any resources detailing a very low-level registry setting for a complex closed-source operating system, unless Microsoft has publicly released the information (or a third party has reverse-engineered its purpose). It's rare that Microsoft ever recommends the end user modify registry data outside of software development, precisely for this reason. If there is any information, you're likely to find it in the Microsoft Support Knowledge Base.

Windows – How to modify the data of an existing registry key value name from cmd

Use REG ADD with the "/f" parameter to force overwrite.

REG ADD /? explains the parameters.

REG ADD KeyName [/v ValueName | /ve] [/t type] [/s Separator] [/d Data] [/f]

KeyName     [\\Machine\]FullKey

Machine     Name of remote machine - omitting defaults to the current machine 
            Only HKLM and HKU are available on remote machines
FullKey     ROOTKEY\SubKey ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ] SubKey 
            The full name of a registry key under the selected ROOTKEY
/v          The value name, under the selected Key, to add
/ve         adds an empty value name <no name> for the key
/t          RegKey data types
            [ REG_SZ | REG_MULTI_SZ | REG_DWORD_BIG_ENDIAN | REG_DWORD | 
              REG_BINARY | REG_DWORD_LITTLE_ENDIAN | REG_NONE | REG_EXPAND_SZ ]
            If omitted, REG_SZ is assumed
/s          Specify one character that you use as the separator in your data 
            string for REG_MULTI_SZ. If omitted, use "\0" as the separator
/d          The data to assign to the registry ValueName being added
/f          Force overwriting the existing registry entry without prompt

To insert a new value or toggle a string value from "false" to "true", use a command like this:

reg add HKCU\Software\Citrix\Receiver /t REG_SZ /v UpgradeDone /d true /f

Example which reads an existing value and appends some string before writing it back:

set append=XXXXXX
set key=HKCU\Software\myTest
set value=myValue
set oldVal=

for /F "skip=2 tokens=3" %%r in ('reg query %key% /v %value%') do set oldVal=%%r
echo previous=%oldVal%

set newVal=%oldVal%%append% 

reg add %key% /v %value% /d %newVal% /f

Note: This sample assumes that the old value and the new value have no blanks. Otherwise one has to add quotes and change the "tokens" parameter. Extra error checking omitted for brevity. However, all registry manipulating code definitely must do adequate error checking.

Best Answer

Related Solutions

Windows Registry – Purpose of HKCU\software\microsoft\windows\currentversion\explorer\fileexts

Windows – How to modify the data of an existing registry key value name from cmd

Related Question