FileExts

Overview

Evidence: FileExts
Description: Enumerate FileExts
Category: System
Platform: windows
Short Name: fileexts
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Windows maintains per-user file extension associations that track which programs are used to open specific file types. This includes the OpenWithList (programs used to open the extension), OpenWithProgids (program identifiers), and UserChoice (user-selected default program).

Changes to file associations can indicate user preference changes or potential malware that associates itself with specific file types for persistence or execution.

Data Collected

This collector gathers structured data about fileexts.

FileExts Data

Field	Description	Example
KeyPath	Registry key path	Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.docx
LastWriteTime	Registry key last write time	2023-10-15T14:30:00
Username	User account name	user
Extension	File extension	.docx
OpenWithList	Comma-separated list of programs	WINWORD.EXE,notepad.exe
OpenWithProgIDs	Comma-separated program IDs	Word.Document.12,txtfile
UserChoice	User-selected default program	Word.Document.12
RegPath	Path to registry hive	Registry/ntuser.dat

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)
• Searches for: Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\*
• For each extension, reads:
  • OpenWithList MRU
  • OpenWithProgids value names
  • UserChoice ProgId
• Filters out non-extension keys (must start with ”.”)

Forensic Value

File extension associations can reveal user preferences and detect malicious associations. Investigators use this data to identify suspicious program associations, detect malware hijacking file extensions, track user’s preferred applications, identify attempts to open malicious file types, detect persistence via file association, and analyze user behavior with specific file types.