[MS-Free]

So, I'm trying to really get down-and-dirty with the Windows Registry, Really understand what various entries are, what can be customized, what can't, etc.

I did a complete Export of the Registry from a freshly installed Windows XP (sp2) VM. Going through the export I found 2 keys that make no sense to me... I can't understand why they would possibly be present:

[HKLM\SOFTWARE\Classes\*\OpenWithList\Winword.exe]
[HKLM\SOFTWARE\Classes\*\OpenWithList\Excel.exe]

So the question is: Can anyone explain why these 2 entries would be present when neither Application has been installed?

Its just been bothering me ever sense I noticed; can't seem to find any information about these on Google...

[Advertisements]

If you have search properly, you will find the following:

http://www.google.com.my/search?q=HKLM\SOFTWARE\Classes\*\OpenWithList\Winword.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

http://www.threatexp...2e38625e93b1c1a
http://www.threatexp...80f7cece4579c7f
http://www.threatexp...1e-574b1e61588f

From McAfee site, the registry refers below might be created by "potentially unwanted program" or PUP
http://vil.nai.com/v...nt/v_283029.htm
http://vil.nai.com/v...nt/v_295598.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

But at the same time, the line can be legitimate.
http://support.microsoft.com/kb/258860
http://www.internetf...wer/IF00276.htm

OpenWithlist is a list that is associated with respective application when we right click our mouse and select an application to be Open With

Example Here

To make matter worse, some programs, such as Opera, Firefox, Microsoft Office Picture Manager (OIS.exe), OpenOffice.org and Windows Media Center (WMC) automatically associate themselves with certain filetypes and file extensions, especially for images and video files such as HTML, JPG, JPEG, PNG, GIF, BMP and etc, even if the users never use the program to open the file type. Some programs does not remove its entry in Open With recommended programs list when it’s been uninstalled, effectively mean that users have to manually remove and delete the entry in registry to clear and get rid of unwanted, unneeded or unused programs in Open With or Recommended Programs list.

Note: The programs on the Open With or Recommended Programs list for each file type are independent of that file’s registered or default associated program(s). Thus, deleting or removing a program from Open With list does not unassociate file type with its default program, nor affect the ability to automatically open the file in its default program when double click or click on Open command while right click. However, deletion of some registry keys does remove program’s default definition of file types and extensions it can handle at Default Programs.

Since you mentioned that the system is under VM environment and freshly installed, i would rather think it is a default key in the registry.
Please correct me if i am wrong and sorry for my bad english.

Thanks
roz

Edited by rozario44, 25 October 2010 - 10:28 AM.

[rozario44]

If you have search properly, you will find the following:

http://www.google.com.my/search?q=HKLM\SOFTWARE\Classes\*\OpenWithList\Winword.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

http://www.threatexp...2e38625e93b1c1a
http://www.threatexp...80f7cece4579c7f
http://www.threatexp...1e-574b1e61588f

From McAfee site, the registry refers below might be created by "potentially unwanted program" or PUP
http://vil.nai.com/v...nt/v_283029.htm
http://vil.nai.com/v...nt/v_295598.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

But at the same time, the line can be legitimate.
http://support.microsoft.com/kb/258860
http://www.internetf...wer/IF00276.htm

OpenWithlist is a list that is associated with respective application when we right click our mouse and select an application to be Open With

Example Here

To make matter worse, some programs, such as Opera, Firefox, Microsoft Office Picture Manager (OIS.exe), OpenOffice.org and Windows Media Center (WMC) automatically associate themselves with certain filetypes and file extensions, especially for images and video files such as HTML, JPG, JPEG, PNG, GIF, BMP and etc, even if the users never use the program to open the file type. Some programs does not remove its entry in Open With recommended programs list when it’s been uninstalled, effectively mean that users have to manually remove and delete the entry in registry to clear and get rid of unwanted, unneeded or unused programs in Open With or Recommended Programs list.

Note: The programs on the Open With or Recommended Programs list for each file type are independent of that file’s registered or default associated program(s). Thus, deleting or removing a program from Open With list does not unassociate file type with its default program, nor affect the ability to automatically open the file in its default program when double click or click on Open command while right click. However, deletion of some registry keys does remove program’s default definition of file types and extensions it can handle at Default Programs.

Since you mentioned that the system is under VM environment and freshly installed, i would rather think it is a default key in the registry.
Please correct me if i am wrong and sorry for my bad english.

Thanks
roz

Edited by rozario44, 25 October 2010 - 10:28 AM.

[MS-Free]

...i would rather think it is a default key in the registry.

Which is exactly what I figured... I'm just trying to figure out why its there when the applications aren't installed.

So... If it isn't malware, the question remains: Why are they there?

(I am going through the steps of the Guide for the sake of being thorough though...)

Edited by MS-Free, 25 October 2010 - 03:46 PM.