What is the "IsolatedCommand" registry value? What purpose does it serve?

I have been searching for explanation for this undocumented registry key but all I could find was some reference to taking ownership or running as Administrator, without really explaining what that particular registry value (not key) is designed for.

I also found this link that suggests that:

HKEY_CURRENT_USER\Software\Classes.exe\ shell\open\command | IsolatedCommand = ""%1? %*"

is related to spyware. Is this true? If so, how?

Any idea what this "IsolatedCommand" value is about, and why would Microsoft create a registry value that would help spyware?

windows-registry

Android Eve

Posted 2010-09-12T20:18:15.913

Reputation: 687

Answers

What you're seeing is apparently a symptom of the Win32/FakeRean. Briefly,

Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

When Windows is trying to determine what to do with files of any given type, it generally consults the HKLM branch in the registry for a entry for the desired type. However, if you've ever installed software that asked if you wanted it to be available for you alone, or for all users of the machine, you've seen a feature that's built in to Windows. When you say "Everyone," its registry entries are generally written to the HKLM hive. If you said you alone, those entries generally go to the HKCU hive. What Win32/FakeRean is doing is putting entries in the HKCU hive which take precedence over those in the HKLM. For executable files, that can be bad.

Unfortunately, I can't find any documentation for the IsolatedCommand key (I've consulted both TechNet and MSDN) but from its name, I'd guess that it controls how a process is created. I can tell you that it is normal and required in the HKLM hive.

BillP3rd

Posted 2010-09-12T20:18:15.913

Reputation: 5 353

Thanks for this great explanation. I have given you a +1 for that. Unfortunately however, I can't mark it "accepted answer" because I still don't know what the IsolatedCommand key means, for what purpose it has been conceived and how to use it. – Android Eve – 2010-09-17T15:44:44.930

Update: for lack of a better answer (3 months later...) I am accepting your answer. If a better answer comes along I will consider accepting it. – Android Eve – 2010-12-15T22:58:11.940

I found this when searching about the same question:

http://www.infosecisland.com/blogview/19746-User-Assisted-Compromise-UAC.html

Under command change the default value to "%1" %* just as it is in HKLM, and add a new String value called 'IsolatedCommand' with the same value as default. With these settings, very little has changed on the system or its operation.

> However, if we change the 'IsolatedCommand' String to 'notepad.exe' and attempt to 'Run As Administrator' on that system using any binary guess what happens? Notepad! (as Admin). w00t.

GeePokey

Posted 2010-09-12T20:18:15.913

Reputation: 31