Hi there,
If I want open a image file, then there is a suspect app - maybe malware? Undetected atm?
This thread was automatically locked due to age.
Hi there,
If I want open a image file, then there is a suspect app - maybe malware? Undetected atm?
I have the followed registrx entries:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\.png\OpenWithProgids]
"AppXcdh38jxzbcberv50vxg2tg4k84kfnewn"=hex(0):
"AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm"=hex(0):
"AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd"=hex(0):
"AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"=hex(0):
"AppXcesbfs704v2mjbts9dkr42s9vmrhxbkj"=hex(0):
Looks little bit crazy I mean...
AppXcdh38jxzbcberv50vxg2tg4k84kfnewn = Microsoft.MSPaint
AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm = Microsoft.ScreenSketch
AppX43hnxtbyyps62jhe9sqpdzxn1790zetc = Microsoft.Windows.Photos
AppXcesbfs704v2mjbts9dkr42s9vmrhxbkj = Microsoft.Paint
Not sure what AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd is?
Do you see it under the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs
If you can see the prog id (AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd) as a key, the value under it will be the fullpackageid. If you run the following PS command, you can filter by the fullpackageid at the top of the output grid view and it will show you details about the package.
Get-AppxPackage | select * | ogv
That might explain it?
Also check under:
HKEY_CURRENT_USER\Software\Classes\Applications
for the entries.
Does that odd entry only appear for certain file types? If you right click on any file and choose "open with", then "choose another app", does it show for exe, dll, etc.. something other than image files?
The key AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd is not under:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs
and here HKEY_CURRENT_USER\Software\Classes\Applications
is only Firefox...
Thanks for your help!
You could maybe search the registry for AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd see if you can match it back to an application. You could always remove it from the registry having exported it?
Maybe check under the keys and values under for example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList
If you see it with .png files? Maybe try other extensions in that path for other images types?
I would probably run Process Monitor (Process Monitor - Sysinternals | Microsoft Learn) and see what registry keys are read when you reproduce the issue.
Sorry, other than that I don't know but Process Monitor should help identify it. Thanks.
Hi Sophos User,
thanks so much for your effort! This app I dont know before, looks nice - but much output! The search take 38 minutes, and im running an i7 with 16G RAM - it looks like I should upgrade to i12 with 128G RAM. :D
I'm sure, that I can solve the issue with this application. Thanks so much!