Is there any reason to change the .exe file association on Windows?

Question

A lot of viruses/malware these days hijack the .exe file association on Windows. The default value for an exe file is "%1" %*, which is fine. It launches the exe file with any arguments passed to it. However, a virus can change it to "Infected file.exe" "%1" %*, which allows it to block specific programs, pop up warnings, all that junk.

I did get a few reasons for allowing this change, in the comments, but I am only concerned with the average home use desktop computer.

Would it cause any problems if I make the HKCR\.exe and HKCR\exefile keys readonly for home users?

Jeez, why wouldn't they be readonly in the first place? If you can change them to readonly, couldn't some program make them writable again? I find it pretty interesting this can indeed be changed at all. Weird. — James T Snell, Jul 13 '11 at 17:50
Think portability and embedded/secure systems. You could technically create another application as a "wrapper" to launch all other executables through (and, in the process, block unwanted ones). Again, just keep in mind that Windows is meant for both end users and corporate distribution. As The White Phoenix said, you can set them to read-only without problems, but I'm sure any virus could still overwrite it. — Breakthrough, Jul 13 '11 at 18:01
I am hoping that most viruses will not anticipate it. However, I see your point about corporations and enterprise-y stuff. I'll edit the question. — Soumya, Jul 13 '11 at 19:20
Presumably, if the virus can change the key, can't it also make it read/write before modifying the value? — jftuga, Jul 13 '11 at 18:07
Where does Windows in the GUI show %1 %* as default value for an exe? — barlop, Jul 13 '11 at 20:15
Install registry protection software, I use Spybot Tea Timer. Stops a lot of that nonsense, you can rename the teatimer.exe to something random in case the malware looks for that process. You have to launch it from the program file if you change the name or Add a shortcut to the new name to the startup folder. — Moab, Jul 13 '11 at 21:55
I guess the ability to change the exe file association might be useful as Breakthrough suggests as a wrapper for things such as Debuggers, Memory Profilers etc... MS won't change this, as it is the customizations that windows is capable of that make it such a powerful OS. — leinad13, Jul 14 '11 at 16:12
@Ryan XP and above, really. I am looking to do this on a lot of computers — Soumya, Jul 19 '11 at 19:15

score 2 · Answer 1 · answered Jul 19 '11 at 16:06

2

Changing the .exe file association to deal with viruses and security concerns is a bit like using a sledge hammer to open a jar of pasta sauce. Yea, it'll open the jar alright, but you'd probably have been better off using a different tool.

A good antivirus tool will take care of those things that careful computing cannot avoid, and will do so without requiring the setting of a critical file setting to something it really was not designed to work as.

answered Jul 19 '11 at 16:06

music2myear

40,472
44
86
127

Here's the thing... most of them don't. I have seen plenty of viruses, most of which use this exploit, on computers with current versions of many antiviruses. And users can't be trusted to protect themselves, so I though this may work – Soumya Jul 19 '11 at 19:16
It sounds as though you speak from experience. I have run Nod32 by Eset for several years and have never really had to worry about the odd fakealert virus or problems such as you mention. What AV apps have you found that fail to protect this function? – music2myear Jul 19 '11 at 20:07
Sophos, Microsoft Security Essentials, Norton, McAfee, and Webroot. I haven't seen any infected machines running Nod32, but I also haven't seen many non-infected machines running it either. – Soumya Jul 19 '11 at 20:08
Yea, it's a relatively little known app. Which is odd considering the full page ads I see for them in MaximumPC and Wired magazines. But they're inexpensive to buy three three-year licenses from, and they run light on the system. I use the free Comodo firewall as well. Regarding your issue, prior to implementing it broadly, I'd run the read only reg key fix on a single computer and really, really test it. Be very thorough. I think drivers may have the most consistant problems with such a setting, though I'm not sure why I feel that way. If it works: Great! – music2myear Jul 19 '11 at 20:12

score 0 · Answer 2 · answered Jul 15 '11 at 05:32

In order for a virus to have read/write to your registry, it has to be executed under your account. At that point you are screwed. It can do much much worse.

Off the top of my head. . .

Delete your documents
Access Network Resources that you have privilege to. Delete Delete!!

So the question shouldn't be "How can I prevent read/write to the exe key?" It should be, "How can I keep a virus from executing under my account?"

In that case, watch what you download. If you don't already, setup a VM or use Sandboxie to test downloads. Or download from a reputable merchant.

For the truly paranoid: Do ALL your browsing in a VM.

David Remy · Accepted Answer · 2011-08-20T20:12:33.600

You can do this but simply making it read only won't do, you need to set the user to have deny permissions and will need to have a user on the system that is not denied. As you are talking about doing this in the user hive it will become a little more complicated but it is doable.

Here are some things to consider though:

The user needs to actually be denied the ability to make changes, they should only be allowed to read.
There needs to be at least one user that can edit the key.
Allowing System, Administrators or any other default account or commonly used elevated account the ability to edit will null this as if the malware elevates it would then have write permissions.
If an update comes down that checks this key for write you could run in to some rather odd failure messages.
To edit the hkcu setting you will need to load the hive from another user's profile to manage it after you lock it down.

This wouldn't be supported and could cause all sorts of odd issues, but most malware isn't programmed to be that smart and this is a very effective way to keep it from finishing the infection.

Your fourth point is the one I am most worried about. The whole question, essentially, is whether or not there is any reason for a legitimate process (especially Windows' own) to write to that key. — Soumya, Jul 19 '11 at 20:10
I have never seen a legitimate app need access to this key though I'm sure there are some out there. For most home users I think you would be fine, I would imagine it is smaller custom apps that would make such a change, internal to an org. — David Remy, Jul 31 '11 at 01:17

score 0 · Answer 4 · answered Jul 19 '11 at 15:47

No, there is no reason you should need to change the .exe file association on Windows.

If it is viruses you are worried about, there are some much better up front measures you can take to prevent viruses from even reaching your machine, you should not have to worry about what you are describing.

First of all, just don't download sketchy things... real-time anti-virus/anti-malware should be used if your users are prone to downloading and running things without thinking or knowing what they are doing.

Otherwise if you are not a noob you can just scan things you find suspicious on demand. If you are doing heavy torrenting and the like, or trying to protect a user other than yourself who may be quite naive on the Internet, keep the real-time protection on. Gaming? I always turn off real-time protection while gaming.

Is there any reason to change the .exe file association on Windows?

4 Answers4