Cor

I would wager that it is because my regfile entry is the only one where the actual "open" command is different from the default. The crucial change in all the commands, regfile included is that the default action has been changed. An excerpt (with the section MBAM should be examining in bold).. [HKEY_CLASSES_ROOT\batfile\shell] @="EditPlus" [HKEY_CLASSES_ROOT\batfile\shell\edit] @="quick &edit" [HKEY_CLASSES_ROOT\batfile\shell\edit\command] @="c:\\windows\\notepad.exe \"%1\"" [HKEY_CLASSES_ROOT\batfile\shell\EditPlus] @="EditPlus" [HKEY_CLASSES_ROOT\batfile\shell\EditPlus\command] @="C:\\Program Files\\Text Ed\\editplus\\editplus.exe \"%1\"" [HKEY_CLASSES_ROOT\batfile\shell\open] "EditFlags"=hex:00,00,00,00 @="run the routine" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" Unless MBAM checks the default action, as well as what command that action performs, it's checking is basically pointless. It would be trivial to slip, for example, a silent registry merge, right past MBAM's scanner. ;o) Cor

In my experience, most users click dialogs without really reading them. The only "PUM" more dangerous than the default action for .reg files (merge with dialog) would be to use the /s (silent) flag (as I do for my own default "Merge" command). If that (silent merge) was the default left-click action, then that is something I would definitely expect MBAM to pick up on. But MBAM doesn't seem to be smart enough to recognize that the "open" action is not the default action. So I thought, "MBAM = over-cautious", not necessarily a bad thing. But then, it doesn't apply this caution to "open" actions for similarly potentially-dangerous file types, which leaves me slightly puzzled. At any rate, I don't use AV myself; I'm testing this for a client and more than anything else, I wanted to know more about the logic behind MBAM's decision before recommending it (it's top of my list). Thanks for your help. ;o) Cor

If I run the same thing on a handy virtual machine, the log produces: Registry Data: 1 Broken.OpenCommand, HKCR\regfile\shell\open\command, regedit.exe /s "Good: (regedit.exe "Bad: (regedit.exe /s "%1"),,[ffffffffffffffffffffffffffffffff]")", %4, %5 If that's any help. ;o) Cor

"How big is the zip file you are trying to attach?" Tiny. "If you are replying in the "quick reply" box, click on the "more reply options" at the bottom right. This should reload your reply box with options to attach the file." That is precisely what I did. I tried the flash upload first (I/O error) and then the basic uploader, which, as I said, showed "regfile.zip" under my post (next to the upload button), indicating that it had uploaded successfully. I guess it didn't. "You initially reported the issue on the 23. Open Mbam, go to history, go to application logs. You are looking for the one(s) on the 23 & they are the "scan log" not the "protection log". I can see all the logs just fine, but I cannot see which one contains the relevant entries. If you don't have them any more, no worries. Just post the reg key you edited & I can re-pro on my machine. No problem. Simply copying in the reg entries was my first thought. ;o) Cor ps. not being able to split up a forum quote is annoying. Relevant registry entries follow: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.reg] @="regfile" [HKEY_CLASSES_ROOT\regfile] @="registration entries" "EditFlags"=dword:00100000 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\ 00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,\ 2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00 [HKEY_CLASSES_ROOT\regfile\DefaultIcon] @="C:\\Toolbars\\Media\\Toolicon\\reg.ico,0" [HKEY_CLASSES_ROOT\regfile\shell] @="EditPlus" [HKEY_CLASSES_ROOT\regfile\shell\edit] @="&quick edit" [HKEY_CLASSES_ROOT\regfile\shell\edit\command] @="c:\\windows\\notepad.exe \"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\EditPlus] @="EditPlus" [HKEY_CLASSES_ROOT\regfile\shell\EditPlus\command] @="C:\\Program Files\\Text Ed\\editplus\\editplus.exe \"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\open] @="mer≥" "MUIVerb"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\ 6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,\ 00,78,00,65,00,2c,00,2d,00,33,00,31,00,30,00,00,00 [HKEY_CLASSES_ROOT\regfile\shell\open\command] @="regedit.exe /s \"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\open2] @="mer≥ (not silent)" [HKEY_CLASSES_ROOT\regfile\shell\open2\command] @="regedit.exe \"%1\"" [HKEY_CLASSES_ROOT\regfile\shell\print] [HKEY_CLASSES_ROOT\regfile\shell\print\command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\ 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,6f,00,\ 74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,70,00,20,\ 00,22,00,25,00,31,00,22,00,00,00 [HKEY_CLASSES_ROOT\regfile\shell\send] @="&send to reg~in folder.." [HKEY_CLASSES_ROOT\regfile\shell\send\command] @="send_reg.bat \"%1\"" [HKEY_CLASSES_ROOT\regfile\ShellEx] [HKEY_CLASSES_ROOT\regfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}] @="{1531d583-8375-4d3f-b5fb-d23bbd169f22}"

I did attach the zip file, and it showed up under my post as "regfile.zip". After posting, I do not see it. Is this normal? ;o) Cor ps. I would have added this comment to my previous post, but there is no edit option.

The registry keys. no problem. The logs; I can't find any mention of the registry detection in any of my logs. Full text searches for "reg", "open" and other seemingly relevant strings yield zero results. If you tell me exactly what to look for, I'll see if I can pin it down. ;o) Cor

I wasn't referring to the files themselves, but to their default action in the registry. ;o) Cor

I also have different default actions for .bat, .vbs, and many more text executables. MBAM didn't seem to mind about those. Strange. ;o) Cor

I posted about this here: https://forums.malwarebytes.org/index.php?/topic/170814-how-do-i-disable-this-erroneous-message/ And was redirected to this forum. But just like the MBAM preferences, there is file exclusions/forum and web exclusions/forum, but no registry exclusions. In short, when MBAM scans it comes up with "Broken.OpenCommand" for my .reg files. It's not broken, it's set to "edit". I did it. The default open command (merge) is dangerous. I would have thought malwarebytes would have realized that my change was a good thing. I have since discovered that you can, after unchecking the item and clicking "NEXT", choose to always ignore this "threat", but it would be better if it didn't consider it a threat in the first place! ;o) Cor

Actually, I discovered that if you uncheck the item and click the big NEXT button, MBAM will ask you if you wish to ignore/always ignore/something else (which I didn't read because I was so excited I immediately clicked the "ignore always" option!) the unchecked item, so fingers crossed! ;o) Cor

The first thing I did (after right-clicking the error and getting no menu at all) was to head to the prefs and add an exclusion. No dice. There is an option for files and folders, but not registry keys. Strange I'll post in the false-positives area. Thanks. ;o) Cor

I don't see how any malware could make the default action for .reg files any more dangerous than the Windows default, so perhaps it should be classified as a false positive. However, because there is no more dangerous action than the Windows default action, I am confused as to why MBAM would even be examining this registry key for changes, which, by definition, could only improve security. I would love to get some clarification on this from the developers. But more than that, I'd just like to be able to disable the message. ;o) Cor

When malwarebytes scans it comes up with "Broken.OpenCommand" for my .reg files. It's not broken, it's set to "edit". I did it. The default open command (merge) is dangerous. I would have thought malwarebytes would be smarter than this. So, how do I disable this erroneous message? ;o) Cor