Jump to content

HKLM_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe


TeMerc

Recommended Posts

  • Staff

User from support, nothing else detecting this and I'm not 100% sure it's bad, so here is dev log. User is not experiencing any problems. SAS pro, Outpost and Prevx Edge didn't detect anything and user claims IE is always sandboxed.

Malwarebytes' Anti-Malware 1.33 

Version de la base de donn

Link to post
Share on other sites

  • Staff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Tom , aside from malware using this to make something run the in the place of explorer does this have a legit use ?

Can't say I can find any, but then again, I'm no expert such as yourself. When in doubt, I always ask.
Link to post
Share on other sites

  • Staff

From the user about if machine had experienced any problems prior to this detection:

My laptop is brand new, and my browsers are sandboxed (latest version of Sandboxie). I rarely use IE, and my default browser is Opera. With Outpost Internet Security and Prevx Edge as real time prevention softwares everything has always been fine.

Anyway the would-be malware is quarantined now.

Link to post
Share on other sites

  • 5 months later...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Tom , aside from malware using this to make something run the in the place of explorer does this have a legit use ?

Hi, there may be some legit uses with tools like StripMyRights or DropMyRights :

http://www.sysint.no/nedlasting/StripMyRights.htm

Their purpose is to start programs with reduced priviledges, without leaving an admin session. The main example is to use a browser with guest priviledges/rights, from an admin session, on XP (since there is no UAC).

The Debugger key in Image File Execution Options can be used by StripMyRights.

Statistically, malwares will probably use this key more than us, but it can be legit.

The good thing is that DropMyRights and StripMyRights (unless renamed) are often easy to detect.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.