Misconfigured items

This tab displays the state of a few system configuration parameters that are frequently abused by malicious programs. If for some reason you don't want Browser Sentinel to alert you when a certain parameter becomes misconfigured, select the corresponding item and uncheck the "Notify when positive" option.

Please note that there are legitimate programs that can use the Windows features described below. Before fixing a positive item, make sure the item is not used by a legitimate program.



Shell Spawning.When you double-click a file to open it, Windows looks in the registry to find the command associated with the file, then it executes the command. Malicious programs can modify this command in the registry to execute programs for their own interest.

Browser Sentinel monitors the following registry keys to detect shell spawning:

  • HKEY_CLASSES_ROOT\exefile\shell\open\command;
  • HKEY_CLASSES_ROOT\comfile\shell\open\command;
  • HKEY_CLASSES_ROOT\batfile\shell\open\command;
  • HKEY_CLASSES_ROOT\piffile\shell\open\command.


UserInit Hijack. The userinit registry setting contains the name of the file Windows executes when the user logs on. The file (userinit.exe) performs a few logon tasks, such as starting logon scripts and establishing network connections. Ultimately, userinit.exe starts Explorer.exe - Windows user interface. A malicious program can substitute userinit.exe with another file to perform the operations needed when the user logs on. The userinit registry setting is stored under HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Winlogon.


Shell Hijack. The Shell is the Windows Graphical User Interface (GUI) used to manage Windows, generally - Windows Explorer (the Explorer.exe file). The shell is started by userinit.exe when a user logs on. A malicious program can change the corresponding registry entry to have its own file run instead of Explorer.exe. The shell registry setting is stored under HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Winlogon.


Trojan Explorer. Windows starts explorer.exe located in the Windows directory when a user logs on. However, if c:\explorer.exe exists, Windows will execute it instead of the one in the Windows directory.


Default search hook is missing. A URL Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, it will use a URL Search Hook to try to find the location you entered. Windows provides the default search hook which is normally used to perform the search. A malicious program can delete the default hook to take control over the search procedure. The default search hook is the {CFBFAE00-17A6-11D0-99CB-00C04FD64497} CLSID stored as a value under HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \URLSearchHooks.


GINA DLL Hijack. GINA - Graphical Identification and Authentication dynamic-link library is a part of Windows interactive logon model. The interactive logon procedure is normally controlled by Winlogon, MSGina.dll and network providers. To alter the interactive logon procedure, MSGina.dll can be replaced with a customized GINA DLL. A spyware program can replace the standard GINA DLL to spy on user passwords or to perform addition tasks during the logon process. The GINA registry setting is stored under HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Winlogon.


User Style Sheet Hijack. A style sheet is a template for how page layouts, colors, and fonts are viewed from an html page. A user style sheet is usually used by handicapped users. A hijacker can modify the default style sheet to display popups or redirect the browser requests. To modify the default style sheet you can either edit the registry key: HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Styles or use the Control Panel: Internet Options -> Accessibility button -> "User style sheet".


Task Manager Disabled. A security policy that prevents users from starting Task Manager. If this policy is enabled and users try to start Task Manager, a message appears explaining that a policy prevents the action. Task Manager lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. This policy can be abused by a hijacker to prevent its process termination by the user. The policy can be enabled or disabled by modifying the value: HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \System, DisableTaskMgr.


Control Panel Disabled. A security policy that disables all Control Panel programs. This policy prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items. This policy also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This policy also removes the Control Panel folder from Windows Explorer. If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a policy prevents the action. This policy can be abused by a hijacker to hinder the user from modifying the Internet Options or from uninstalling a program. The policy can be enabled or disabled by modifying the value: HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer, NoControlPanel. Note that you must restart Windows after modifyng this value.


Registry Tools Disabled. A security policy that disables the Windows registry editors, Regedt32.exe and Regedit.exe. If this policy is enabled and the user tries to start a registry editor, a message appears explaining that a policy prevents the action. The policy can be abused by a hijacker to hinder the user from deleting the hijacker's entries in the registry. The policy can be enabled or disabled by modifing the value: HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \System, DisableRegistryTools.