What is the "IsolatedCommand" registry value? What purpose does it serve?
What you're seeing is apparently a symptom of the Win32/FakeRean. Briefly,
Win32/FakeRean is a family of programs that claim to scan for malware and display fake warnings of malicious files. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
When Windows is trying to determine what to do with files of any given type, it generally consults the HKLM
branch in the registry for a entry for the desired type. However, if you've ever installed software that asked if you wanted it to be available for you alone, or for all users of the machine, you've seen a feature that's built in to Windows. When you say "Everyone," its registry entries are generally written to the HKLM
hive. If you said you alone, those entries generally go to the HKCU
hive. What Win32/FakeRean
is doing is putting entries in the HKCU
hive which take precedence over those in the HKLM
. For executable files, that can be bad.
Unfortunately, I can't find any documentation for the IsolatedCommand
key (I've consulted both TechNet and MSDN) but from its name, I'd guess that it controls how a process is created. I can tell you that it is normal and required in the HKLM
hive.
I found this when searching about the same question:
http://www.infosecisland.com/blogview/19746-User-Assisted-Compromise-UAC.html
Under command change the default value to "%1" %* just as it is in HKLM, and add a new String value called 'IsolatedCommand' with the same value as default. With these settings, very little has changed on the system or its operation.
> However, if we change the 'IsolatedCommand' String to 'notepad.exe' and attempt to 'Run As Administrator' on that system using any binary guess what happens? Notepad! (as Admin). w00t.