COMMAND

    kernel

SYSTEMS AFFECTED

    Win32

PROBLEM

    Jim Murray  found following.   Windows hides  file types  for some
    files even  with HideFileTypes  turned off.   Do a  search of your
    registry for the value "NeverShowExt", starting at:

        HKEY_LOCAL_MACHINE\Software\CLASSES\

    Which is mirrored at:

        HKEY_CLASSES_ROOT\

    Jim found that there were  10 occurrences on his (fairly  UNLoaded
    installation). ALL of which he has now changed to "AlwaysShowExt"!
    If you have much other M$ or Office software on your machine,  you
    may find more and it is quite easy for any program to conceal  any
    file extension by this means!

        HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
        HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}
        HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}
        HKEY_LOCAL_MACHINE\Software\CLASSES\DocShortcut
        HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap
        HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile
        HKEY_LOCAL_MACHINE\Software\CLASSES\piffile
        HKEY_LOCAL_MACHINE\Software\CLASSES\InternetShortcut
        HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile
        HKEY_LOCAL_MACHINE\Software\CLASSES\ConferenceLink

    The first  3 are  for the  MAPIMail &  DeskLink shortcuts, the 3rd
    one  is  for  the  My  Documents  folder.   MapiMail  is  used for
    *automatically*  sending  mails,  using  whatever is the "default"
    email client (via sendmail.dll).   DeskLink is (guess) used for  a
    similar thing.  The last  7 are self-explanatory(?) and one  would
    venture to  suggest that  of these,  DocShortcut, ShellScrap, lnk,
    pif, InternetShortcut & SHCmdFile ARE *definitely* "executable"!?

    In fact the "action" associated with these is:

        DocShortcut
        C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL /r /x %1
        ShellScrap
        C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL %1

    You can guess what the others do?  Yup, you got it! - Iexplore.exe
    gets its mitts on them!  So *anything* is possible!

    A little digging on the web revealed that this is a genuine issue,
    one that's been known about for  some time.  Just a couple  of the
    links:

        http://www.pc-help.org/security/scrap.htm - Includes demo exploit
        http://www.stiller.com/shs.htm

    Note that you need to use regedit.exe, not regedt32.exe, to search
    for  the  'NeverShowExt's.   Also,  you  need  to  reboot for your
    changes to take effect.

    One thing Dan Harkless  discovered since he made  the NeverShowExt
    -> AlwaysShowExt changes mentioned by the original author is  that
    all shortcuts now have .lnk on  the ends of their names.   Kind of
    annoying (wish  NTFS was  a real  file system  that allowed  links
    without this "hide the file extension" hack).

    It would  be tempting  to change  .lnk back  to NeverShowExt,  but
    since shortcuts can include parameters to a pointed-to executable,
    what's to  stop a  malicious person  from emailing  a file  called
    neatinfo.txt.lnk    that's    a    link    to    something    like
    "C:\dos\format.exe C:"?  There  are scarier examples as  well, not
    requiring the user to have DOS installed or to have to approve the
    destructive action.

    On Win98SE change:

        1) takes affect immediately (may need to "Refresh" a view)
        2) IE 5 thinks it's no longer the default viewer; if you allow
           it to set itself back, it adds "NeverShowExt" to .url key

    Corel also has a number of hidden extensions.

SOLUTION

    Well nothing... as it is feature and not a bug :-)