Jump to content
TeMerc

HKLM_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Recommended Posts

User from support, nothing else detecting this and I'm not 100% sure it's bad, so here is dev log. User is not experiencing any problems. SAS pro, Outpost and Prevx Edge didn't detect anything and user claims IE is always sandboxed.

Malwarebytes' Anti-Malware 1.33 

Version de la base de donn

Share this post


Link to post
Share on other sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Tom , aside from malware using this to make something run the in the place of explorer does this have a legit use ?

Share this post


Link to post
Share on other sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Tom , aside from malware using this to make something run the in the place of explorer does this have a legit use ?

Can't say I can find any, but then again, I'm no expert such as yourself. When in doubt, I always ask.

Share this post


Link to post
Share on other sites

From the user about if machine had experienced any problems prior to this detection:

My laptop is brand new, and my browsers are sandboxed (latest version of Sandboxie). I rarely use IE, and my default browser is Opera. With Outpost Internet Security and Prevx Edge as real time prevention softwares everything has always been fine.

Anyway the would-be malware is quarantined now.

Share this post


Link to post
Share on other sites

I noticed the same detection of the key in the registry of my machines, no value set.

Asked around and a developer told me the key is installed by default.

Share this post


Link to post
Share on other sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe

Tom , aside from malware using this to make something run the in the place of explorer does this have a legit use ?

Hi, there may be some legit uses with tools like StripMyRights or DropMyRights :

http://www.sysint.no/nedlasting/StripMyRights.htm

Their purpose is to start programs with reduced priviledges, without leaving an admin session. The main example is to use a browser with guest priviledges/rights, from an admin session, on XP (since there is no UAC).

The Debugger key in Image File Execution Options can be used by StripMyRights.

Statistically, malwares will probably use this key more than us, but it can be legit.

The good thing is that DropMyRights and StripMyRights (unless renamed) are often easy to detect.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.