I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?

Oct 15, 2020 路 8:32 PM UTC

15
6
10
Load newest
Replying to @hal_pomeranz
Use Autoruns.exe and look at the Explorer tab.
Replying to @hal_pomeranz
Check the "Image Hijack" tab on AutoRuns. It will show API hooks that perform execution redirection whenever a target API call is made. Process Explorer actually has a feature that hijacks all Task Manager calls and runs Process Explorer instead, as an example.
Replying to @hal_pomeranz
What happens when Win + E is hit? What happens when you type explorer.exe into the cmd prompt? #find the Explorer executable and see if it鈥檚 been replaced with rogue program called Explorer.exe
2
Replying to @hal_pomeranz @wimremes
Trying to launch how?
1
Replying to @hal_pomeranz @wimremes
Debug image path.. or shell setting
1
Replying to @hal_pomeranz
Possibly [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "shell" maybe? I'm a *NIX guy, though, so probably wrong.
Replying to @hal_pomeranz
Isn鈥檛 a service?
Replying to @hal_pomeranz
Shell
1
6
Replying to @hal_pomeranz
If you think a file association is the issue - HKEY_LOCAL_MACHINE\Software\Classes HKEY_CURRENT_USER\Software\Classes or HKEY_CLASSES_ROOT Remember and explorer bork may also *try to restart explorer too. Task manager can kill & restart it.
Replying to @hal_pomeranz
Reinstall
1