# FileExts

## Overview

**Evidence:** FileExts\
**Description:** Enumerate FileExts\
**Category:** System\
**Platform:** windows\
**Short Name:** fileexts\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Windows maintains per-user file extension associations that track which programs are used to open specific file types. This includes the OpenWithList (programs used to open the extension), OpenWithProgids (program identifiers), and UserChoice (user-selected default program).

Changes to file associations can indicate user preference changes or potential malware that associates itself with specific file types for persistence or execution.

## Data Collected

This collector gathers structured data about fileexts.

### FileExts Data

| Field             | Description                      | Example                                                          |
| ----------------- | -------------------------------- | ---------------------------------------------------------------- |
| `KeyPath`         | Registry key path                | Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.docx |
| `LastWriteTime`   | Registry key last write time     | 2023-10-15T14:30:00                                              |
| `Username`        | User account name                | user                                                             |
| `Extension`       | File extension                   | .docx                                                            |
| `OpenWithList`    | Comma-separated list of programs | WINWORD.EXE,notepad.exe                                          |
| `OpenWithProgIDs` | Comma-separated program IDs      | Word.Document.12,txtfile                                         |
| `UserChoice`      | User-selected default program    | Word.Document.12                                                 |
| `RegPath`         | Path to registry hive            | Registry/ntuser.dat                                              |

## Collection Method

This collector:

* Collects user registry hives (ntuser.dat)
* Searches for: `Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*`
* For each extension, reads:
  * OpenWithList MRU
  * OpenWithProgids value names
  * UserChoice ProgId
* Filters out non-extension keys (must start with ".")

## Forensic Value

File extension associations can reveal user preferences and detect malicious associations. Investigators use this data to identify suspicious program associations, detect malware hijacking file extensions, track user's preferred applications, identify attempts to open malicious file types, detect persistence via file association, and analyze user behavior with specific file types.