7

A lot of viruses/malware these days hijack the .exe file association on Windows. The default value for an exe file is "%1" %*, which is fine. It launches the exe file with any arguments passed to it. However, a virus can change it to "Infected file.exe" "%1" %*, which allows it to block specific programs, pop up warnings, all that junk.

I did get a few reasons for allowing this change, in the comments, but I am only concerned with the average home use desktop computer.

Would it cause any problems if I make the HKCR\.exe and HKCR\exefile keys readonly for home users?

4 Answers4

1

Changing the .exe file association to deal with viruses and security concerns is a bit like using a sledge hammer to open a jar of pasta sauce. Yea, it'll open the jar alright, but you'd probably have been better off using a different tool.

A good antivirus tool will take care of those things that careful computing cannot avoid, and will do so without requiring the setting of a critical file setting to something it really was not designed to work as.

music2myear
  • 49,799
0

In order for a virus to have read/write to your registry, it has to be executed under your account. At that point you are screwed. It can do much much worse.

Off the top of my head. . .

  • Delete your documents
  • Access Network Resources that you have privilege to. Delete Delete!!

So the question shouldn't be "How can I prevent read/write to the exe key?" It should be, "How can I keep a virus from executing under my account?"

In that case, watch what you download. If you don't already, setup a VM or use Sandboxie to test downloads. Or download from a reputable merchant.

For the truly paranoid: Do ALL your browsing in a VM.

surfasb
  • 22,896
0

You can do this but simply making it read only won't do, you need to set the user to have deny permissions and will need to have a user on the system that is not denied. As you are talking about doing this in the user hive it will become a little more complicated but it is doable.

Here are some things to consider though:

  • The user needs to actually be denied the ability to make changes, they should only be allowed to read.
  • There needs to be at least one user that can edit the key.
  • Allowing System, Administrators or any other default account or commonly used elevated account the ability to edit will null this as if the malware elevates it would then have write permissions.
  • If an update comes down that checks this key for write you could run in to some rather odd failure messages.
  • To edit the hkcu setting you will need to load the hive from another user's profile to manage it after you lock it down.

This wouldn't be supported and could cause all sorts of odd issues, but most malware isn't programmed to be that smart and this is a very effective way to keep it from finishing the infection.

David Remy
  • 1,959
0

No, there is no reason you should need to change the .exe file association on Windows.

If it is viruses you are worried about, there are some much better up front measures you can take to prevent viruses from even reaching your machine, you should not have to worry about what you are describing.

First of all, just don't download sketchy things... real-time anti-virus/anti-malware should be used if your users are prone to downloading and running things without thinking or knowing what they are doing.

Otherwise if you are not a noob you can just scan things you find suspicious on demand. If you are doing heavy torrenting and the like, or trying to protect a user other than yourself who may be quite naive on the Internet, keep the real-time protection on. Gaming? I always turn off real-time protection while gaming.

MetaGuru
  • 3,799