FileExts

Overview

Evidence: FileExts Description: Enumerate FileExts Category: Registry Platform: Windows Short Name: fileexts Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains per-user file extension associations that track which programs are used to open specific file types. This includes the OpenWithList (programs used to open the extension), OpenWithProgids (program identifiers), and UserChoice (user-selected default program).

Changes to file associations can indicate user preference changes or potential malware that associates itself with specific file types for persistence or execution.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*

• For each extension, reads:

  • OpenWithList MRU

  • OpenWithProgids value names

  • UserChoice ProgId

• Filters out non-extension keys (must start with ".")

Usage

File extension associations can reveal user preferences and detect malicious associations. Investigators use this data to identify suspicious program associations, detect malware hijacking file extensions, track user's preferred applications, identify attempts to open malicious file types, detect persistence via file association, and analyze user behavior with specific file types.

Known Limitations

• Per-user settings (system-wide associations not captured)

• Only populated for extensions user has interacted with

• Can be modified by users or malware

• Some associations controlled by Group Policy

Notes

Malware sometimes modifies file associations to ensure execution when users open common file types. Pay attention to unusual programs associated with common extensions like .txt, .pdf, or .docx.