Jump to content



Recommended Posts

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

The MS XP/2K defaults, like those listed here, would be "%1" %*"

In looking through info, the /s parameter does show as a 9x default, and screensaver info sites suggest it's to "run the screen saver in full-screen mode". Maybe instead parameters that now run from whatever is in the app info?

Link to post
Share on other sites

You know you're slow when you miss 'em while they're in bate. Scanned with 1.29 and no, it didn't alert to the "%1" %* reg value this time. Nice tip from Mo was looking through the default HIVECLS.INF strings, though these do indicate "%1" /S as well. Not quite sold though that some apps don't need the %* for their uses.

Link to post
Share on other sites

Hi Everyone,

I'm afraid it isn't fixed and was correct to begin with.

I joined to be able to chime in here on this point since my name has been mentioned and I have been consulted elsewhere on this point. To save typing, some of what I posted elsewhere will be repeated here. I disagree and want to be sure to clarify my opinion, although a small point.

I did read the link to the MS article, but for some reason whoever wrote that article, regarding the screensaveer file association did not update their information on the File association. This does happen at the KB from time to time.

In XP if you leave this "%1" %*" alone as the Shell\open\command,you have changed the default file association.


"%1" %*" or "%1" /s Which to use and what do they do?

If you look at the key, you'll see the default verb, Open, is called Test on the context menu.

If you use the first, you'll get a Settings dialog and there will be options to configure the screensaver. But some scr's have nothing to configure. So if you use

"%1" %*"

some scr's like ssbezier.scr will give a no options to configure message.

But if you use the second, you'll just see the screensaver running as it usually does.

It's like using Display Properties > screensaver tab and choosing either preview or settings. On XP, the .scr context menu has the configure entry. That's the entry we would click to bring up the test dialog if the defaults were in place.

To find out what the default is, (and for XP it is the /s switch) go to i386 and open HIVECLS.INF in notepad.

HKCR,"scrfile","",0x00000002,"%SCREEN_SAVER%"HKCR,"scrfile\shell",,0x00000012HKCR,"scrfile\shell\config","",0x00000002,"%_CONFIGURE%"HKCR,"scrfile\shell\config\command","",0x00000002,"""%1"""HKCR,"scrfile\shell\install","",0x00000002,"%_INSTALL%"HKCR,"scrfile\shell\install\command","",0x00000002,"rundll32.exe desk.cpl,InstallScreenSaver %l"HKCR,"scrfile\shell\open","",0x00000002,"%_TEST%"HKCR,"scrfile\shell\open\command","",0x00000002,"""%1"" /S"


The default open command should open and run the screensaver. If you should want to configure it, then you would use the other context menu entry to bring up the Configure screen.

Quote from Jintan:

Not quite sold though that some apps don't need the %* for their uses.


Still, though, not here and not to open the screensaver itself. Scrfiles require the /s switch in XP to just run.

I do not recommend this, but if you were to change exefile shell\open\command from the standard

"%1" %*

to this :


You'd find that exes still would run .

But leave it alone and please don't take this as advice. It is just an example. It's best to use defaults here. All this means is that the file is self opening. In the open with bix to run calc, you select calc as the file to use to open calc.....

The i386\HIVECLS.INF IS the setup for the defaults when Windows is installed. And why would another app want to bring up the Setup screen by using the wrong switch? Things change when Windows brings out a new OS.

Since people don't usually try to run a screensaver by double clicking on the file, it isn't odd that this change wouldn't be noticed. But that doesn't change the fact that the association has been changed.


It's likely that another inf file or utility may have been run on these systems and made the change which is now being ignored.

Although not nefarious, no malware file is being called through this change, it still does break something.


Link to post
Share on other sites

Think I posted myself into a corner here. Probably won't make things any better, but since AVG7 has been run on the system where the earlier Mbam results came from:




"%1" %*


"%1" %*


"%1" %*


"%1" %*


"%1" %*


"%1" %*






%windir%\NOTEPAD.EXE %1

Haven't looked at 8's files to see if there's a change. And if Grisoft posts next I'm pleading nolo contendere (like I should have in the beginning anyway).

Link to post
Share on other sites

  • 8 months later...

:( I'm a rookie at writing to this forum, but what I see on this subject is a lot of computerese and not helping.

A colleague has

Registry Data Items Infected:


(Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action



(Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") ->

No action taken.

Using REGEDIT, I looked for the first infection on my PC, but do not have anything on my computer as my colleague does. Can you please help me rid his computer of this? What other information do you need?

Thank you, in advance,


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.