"Edit File Type" Questions RE: "explore" & "open" Actions / "Edit" & "Remove" Buttons

Hi, all.

After participating in this thread, I thought of a few questions for Windows XP people.

I am investigating a possible rootkit infection (as I think of avenues to take) regarding C:\WINDOWS\explorer.exe being "hidden ". (Therefore, anything possibly related to "explorer" grabs my attention.)


In Windows Explorer, when one clicks Tools > Folder Options > File Types tab > selects "Folder" > clicks the "Advanced" button > "Edit File Type" window:

1. In the "Edit File Type" window, is the "explore" action typically included with default installations of Windows XP?
   -
2. If yes to question 1, is the "explore" action typically ALL lowercase on default installations of Windows XP (Home version)? I would think it would normally be capitalized as "Explore ". If so, do you have any ideas about what might modify explore to make it all lowercase (other than directly editing the filename via keyboard)?
   -
3. In the "Edit File Type" window, when the "explore" action (or any other action) is selected, are the "Edit" and "Remove" buttons typically grayed out? If so, then why? If not, then how could one proceed to make those actions for the Folder File Types editable?
   (I am willing to poke around the registry if necessary at my own risk.)

===========

If you don't feel equipped to answer the above questions, would you please at least look at your Windows XP "Edit File Type" settings for the Folder file type and answer the following questions in regards to your machine?


In Windows Explorer, please click Tools > Folder Options > File Types tab > select "Folder" > click the "Advanced" button > "Edit File Type" window (screenshot is included in this post I linked):

1. Do you have an "explore" action displayed on your installation of Windows XP? If so, what version of WP do you have? Home or Pro? OEM or retail?
   -
2. If you have an "explore" action displayed, how is the "explore" action displayed on your installation of Windows XP (explore, Explore, EXPLORE, etc)?
   -
3. Are the Edit and Remove buttons grayed out on your installation of Windows XP?

The open action in the Folder>Edit File Types window is also in ALL lowercase for the computer in question. Same for you?

 

explore

Windows XP home SP2, retail.
I have 'explore', all lower case.
Edit and Remove buttons are grayed out.

I don't think I have ever changed that option, so I would have to say that I am 99% sure that was the default for me.

Gordon

 

Thank you, Gordon.

I can rest a little easier knowing someone else out there has the same setup as me (Win XP SP2 Home Retail) with the same lowercase letters and grayed buttons as me. The "hidden" file alert I saw a few days ago when I was scanning my system for rootkits has been bugging me bigtime.

Thanks again!


Anybody else want to pitch in with their answers (please)?

 

Looked at 4 installations - two of mine, and called up two friends and all are as you describe. All OEM - SP2.

All lower case. Judging from that - explore is not normally capitalized. You should ask/look at other Home systems. Don't know about Pro - next time I'm at the office, I'll look.

All grayed out and can't tell you why because I never had cause to concern myself with it.

It is capitalized on the right click context menu.

I think you can rest easy on this issue

Regard - Charles

 

FWIW, mine also has explore in all lower case letters. The edit and remove buttons are also greyed out.

 

Whew! Wow! Thanks for all your checking, guys!

OK. I'll just write off the "hidden process" issue as a GMER fluke (for now). I had instructed GMER to kill the "hidden" C:\WINDOWS\explorer.exe process and it remained visible under GMER's Processes tab during that session. However, I haven't seen any "hidden" process since then with numerous subsequent GMER scans/reboots. I have also scanned with several other anti-rootkit apps and all of them reported clean too.

I suppose it is remotely possible I have a particularly stealthy Gromozon rootkit or something , but I certainly won't lose sleep over that, thanks to you.

I'll check every computer I can for awhile (out of curiosity rather than fear) to see how they're configured. If I find any discrepancies, I'll let you know!


Thanks again!

 

There's a longstanding, persistent tradition of using lower case while programming, and this persists in all versions of windows outside the security sphere (it makes a difference in passwords). To test this fact that case makes no difference in the cases mentioned in this thread,, try typing in a Run Window (start-r) msconfig or another built-in process, varying the case anyway you like, like MsCoNfIg.

Same with explorer.

 

Thanks, sparrow. I'll elaborate a bit...


Coupled with my recent paranoia about strangeness regarding anything that might be related to the "hidden" explorer.exe process I observed with GMER a few days ago, that longstanding "programmers' tradition" of using all lowercase was, in fact, at the heart of my (apparently unfounded) suspicion in this case.

The attached image shows my "Edit File Types" (EFT) window for the "Folder" filetype. All "Actions" in my EFT window are capitalized except for "explore" and "open ".

Therefore, it seems the EFT window is a GUI intended for Windows users rather than programmers. My (apparently unfounded) suspicion was that some hacker or trojan (written by a programmer) added the "explore" and "open" EFT actions or a trojan had replaced the default "Explore" and "Open" actions.


Then my paranoia heightened even more when I considered the disabled "Edit" and "Remove" buttons in the EFT window (for the "Folder" filetype). I was following a thread where Steve R Jones (Staff) advised someone to "edit" an action in their EFT window for the "Folder" filetype. I was curious, so I looked in my EFT to see if I could replicate Steve's suggestion and found I cannot edit ANY entry in my EFT window for the "Folder" filetype. Therefore, I was confused (and I still am).


Thanks to Gordon, Charles, and Zander's verification that the EFT window's "explore" action is apparently not capitalized in many (all?) Windows XP installations, I can be at peace with the EFT window inconsistencies...for now.

I still don't understand the "under the hood" workings of the EFT window (such as where the EFT GUI ties to in the registry) and why the "Edit" and "Remove" buttons in the EFT window for the "Folder" filetype are disabled. Some day, when I want to devote a couple hours to it, I'll poke around my registry.


EDIT: BTW, I do realize that all the capitalized actions in my attached screenshot refer to non-Microsoft applications. This seems to further support my idea that the EFT GUI is intended for the "non-programmer" type of Windows user (because all these independent 3rd parties capitalized their actions). However, I have found other all-lowercase actions (such as "find ") in EFT windows for other filetypes (which, so far, I assume are Microsoft actions). I will probably investigate this further, especially if it starts to bug me enough.

 

My point is that it's purely accidental whether a word in a menu is capitalized; there is no hidden meaning. RE: the programmers; windows is obviously meant for non programmers, but carries foreward many habitual features that have endured for a long time. Remember that windows is a product of comittees and as such has many spoons in the stew.

Examining your concern, found all possibilities on my XP Pro, including no entries in the field.

 

Hi, Sparrow. Thanks for elaborating on your point. I hope you realize I am not arguing regarding your point at all. It's 100% sound.

I'll elaborate on my point a little more too. Perhaps I should have stated in my most recent post immediately above:

• My (apparently unfounded) suspicion was that some hacker (programmer) or trojan (written by a programmer) added the "explore" and "open" EFT actions (and the programmer forgot to stealthily capitalize those actions to make them blend in better with other actions that seem to be consistently capitalized).

That's pretty wordy, eh?

Thanks for taking the time to check that out and report! I have also noticed similar such normal inconsistencies in the past regarding Windows which, of course, is a stew produced by many chefs. For example, I've noticed evidence in HJT logs where the legitimate explore.exe has such letter case variations, apparently depending on what Windows version and/or service pack is involved. Knowing that the letter case in filenames (and program code) historically varies in general, I have not been concerned about such variations.


Now I'll stray from the thread topic a little since my paranoia issue is resolved. (Thanks again, everyone!)

IMHO, programmers of legitimate applications should be required by their employers to follow certain letter case rules for the end user GUI. For example, programmers who are involved with producing EFT action names should remember to capitalize the names for those EFT actions. The end user's perception of quality and attention to "proper" detail is important from a marketing perspective. Those EFT actions are titles in a sense, so those actions should be properly capitalized. People who are at all familiar with programming and its traditions might not be concerned with letter case (although I obviously am). However, people who see such titles with all lowercase letters may have a perception of "2nd rate ", especially if they are mixed in with properly capitalized actions.


Now I'll stray from the original thread topic a LOT ...

Hypothetically (if I understand correctly), perhaps a small amount of processing time/memory required to compile code could be decreased if a compiler doesn't have to interpret upper case as well as lower case in the code. I'm not suggesting this be adopted though. This isn't necessary or even practical. The shaved milliseconds are inconsequential for the person executing the compiler. If programmers were required to write code in all lowercase for a new compiler that is written to interpret only lower case code, then additional debugging program code would have to be written to convert the code to all lower case. This would defeat the purpose of writing a more efficient compiler. (Does this make sense?)

Also, if I understand correctly, assembly language is extremely rule-oriented. Therefore I expect programmers, in general, prefer writing code in higher level languages because it saves them time and energy when their brains have to interpret the code, especially when they have to write and debug complex programs. Based on my very limited experience with programming long ago, I expect it would be much easier for me to interpret high level code such as Pascal or Fortran (the two languages I have had some experience with) or any other high level code than the particular assembly language I was exposed to around the same time. Heck! I can't even remember which particular assembly language I studied!


After several "Preview Post" button clicks, proof-reads, and edits to make this post PROPERLY formatted, spelled, punctuated, capitalized, and grammatically correct, I will click the "Submit Reply" button and see if I can resist the temptation to clarify, fix typos, etc.

If anyone made it this far in my post, THaNK YoU for listening so attentively!

 

Regards - Charles

 

An attack is always a possibility, but from my reading and very small experience, would expect other evidence than simply that, such as attemps to damage windows, files, etc. or to take over the computer.

 

tHanKs, Charles! Good to know my time and effort wasn't wasted!


Sparrow, thanks. That's encouraging. My computer is running smoother than it ever has.

Besides, I downloaded and installed Port Explorer yesterday morning and have been running it while online ever since. I have not seen any suspicious "phoning home" activity. Port Explorer is a GREAT program...FULL of features. Beats da heck outta TCPView!

Two of those features:

• Port Explorer displays hidden servers (a characteristic very rare in normal programs but very common in trojans, according to DiamondCS).
• Port Explorer also supports logging (including logging of individual processes).
  -
  • Port Explorer Page (with "Free Download" button)
    -
  • Screenshots (Click on each image to view the enlarged screenshot.)
    Below the enlarged first screenshot, DiamondCS describes and briefly explains the color codes used for many of Port Explorer's displays.

 

For Folder type, it is at HKEY_CLASSES_ROOT\Folder

 

To see port info and a great deal more, recommend www.grc.com and go to :shields up" and check everything you wish.

 

JRosenfeld, I looked around in that registry key a little last night. Thanks for giving me a good start!

Sparrow, thanks for the tip! I agree. I have tested 100% stealth every time I checked for years. Interesting reading at GRC! Lots of good utilities there too (DCOMbobulator, Shoot The Messanger, LeakTest, etc.).

Handy places for looking up port info:

• Port TCP UDP Network Security - SANS Internet Storm Center
  -
• Common Scans (LinkLogger)
  -
• IANA Assigned Port Numbers