FileExts
Overview
Evidence: FileExts Description: Enumerate FileExts Category: System Platform: windows Short Name: fileexts Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Windows maintains per-user file extension associations that track which programs are used to open specific file types. This includes the OpenWithList (programs used to open the extension), OpenWithProgids (program identifiers), and UserChoice (user-selected default program).
Changes to file associations can indicate user preference changes or potential malware that associates itself with specific file types for persistence or execution.
Data Collected
This collector gathers structured data about fileexts.
FileExts Data
KeyPath
Registry key path
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.docx
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
Username
User account name
user
Extension
File extension
.docx
OpenWithList
Comma-separated list of programs
WINWORD.EXE,notepad.exe
OpenWithProgIDs
Comma-separated program IDs
Word.Document.12,txtfile
UserChoice
User-selected default program
Word.Document.12
RegPath
Path to registry hive
Registry/ntuser.dat
Collection Method
This collector:
Collects user registry hives (ntuser.dat)
Searches for:
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*For each extension, reads:
OpenWithList MRU
OpenWithProgids value names
UserChoice ProgId
Filters out non-extension keys (must start with ".")
Forensic Value
File extension associations can reveal user preferences and detect malicious associations. Investigators use this data to identify suspicious program associations, detect malware hijacking file extensions, track user's preferred applications, identify attempts to open malicious file types, detect persistence via file association, and analyze user behavior with specific file types.
Last updated
Was this helpful?