Regedit is associated with .reg files

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: regfile
Platforms: Windows NT
Description:

Regedit.exe was found associated with registry files. An attacker can mail or place a .reg registry file on the system, causing it to modify the registry when the file is run.
Remedy:

Associate the .reg file name extension with a text editor:

Windows NT: Change the association from the File Types dialog box:

  1. Open My Computer.
  2. From the View menu, select Folder Options.
  3. Click the File Types tab.
  4. In the registered file types list, locate and select Registration Entries.
  5. Click Edit.
  6. In the Actions list, click the first action.
  7. Click Edit.
  8. Change all references of regedit.exe to a text editor, such as notepad.exe or wordpad.exe. Click OK.
  9. Repeat steps 6-8 for all actions in the Actions list.
  10. Click OK, then click Close twice to apply the changes.

Windows 95: Because of a problem with existing associations reverting when set from the File Types dialog box, remove and add the association, or change the association from the registry.

  1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt 32, and click OK.
  2. Go to the HKEY_LOCAL_MACHINE/Software/Classes/regfile/shell/open/command key.
  3. Double-click the value that is similar to <No Name> : REG_SZ : regedit.exe %1 to display the String Editor>
  4. Change the regedit.exe entry to notepad.exe. Do not alter any other portion of the string.
  5. Click OK.

See the references for more information.

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

—AND—

Set appropriate registry permissions to prevent non-administrators from changing the HKEY_LOCAL_MACHINE/SOFTWARE/Classes/regfile/shell/open/command key or its values.

After completing the association, if a .reg file appears in your text editor, then an attack may be in progress to compromise your system.
References:

Microsoft Knowledge Base Article Q132664, Changing Association in File Types Dialog Box May Not Work, http://support.microsoft.com/support/kb/articles/q132/6/64.asp
X-Force Logo
Know Your Risks