Thursday, May 7, 2009
Q&A: Windows 7 File Extension Hiding Posted by Mikko @ 14:25 GMT

We got plenty of good comments on the previous blog post about Windows 7, including feedback from people who are actually working in the Explorer development team at Microsoft.

Many of the comments included questions on the topic, so here's a Q&A:

Q: What is this all about?
A: It's about Windows, by default, hiding file extensions such as .EXE. Virus writers exploit this by creating malicious files with double-extensions (PICTURE.JPG.EXE). Such a file would typically also use a misleading icon.

Q: How long has Windows Explorer been hiding file extensions "For known file types"?
A: Since Windows NT.

Q: Why do they do it?
A: We don't know.

Q: Is this a real risk? If user already has such a file on his hard drive, it's too late, right?
A: Not really. The file could have come from the Internet, from a file share or a removable drive and the user hasn't necessarily executed it yet.

Q: But if the file came from the Internet, Explorer will warn you that it came from an "Untrusted Zone"!
A: Only if you use Internet Explorer to browse the web and Outlook to download your e-mail attachments. There are plenty of other ways to download files from the net: 3rd party web and e-mail clients, BitTorrent and other P2P clients, chat programs etc. Also, you can't rely on such warning dialogs if the file is on a network share or an a USB drive.


Q: There is no problem. Even in your own screenshot the file is labeled by Explorer as "Application"! Thus, nobody would click on it. Even though the file is called something.txt. And it has the icon of a text file.
A: Right…

Q: Do real worms really use such filenames?
A: Oh yes. They typically spread by copying themselves with tempting filenames to random folders on removable drives or network shares, with filenames along these lines:


Many would click on these, especially if the icon of the file looks like a document icon — and when Windows hides the ".exe" part of the name.

Q: So, the solution is turn off "Hide extensions for known file types" in Explorer settings?
A: Yeah.

Windows 7 Folder Options

Q: Will that make all file extensions visible?
A: Well, no. There are executable extensions that will STILL be hidden even if you turn the option off.

Q: What?
A: For example PIF. This file type was meant to be a shortcut to old MS-DOS programs. Problem is, you can rename any modern Windows Executable to .PIF and it will happily run when double-clicked.

For example, the Scamo worm uses exactly this flaw, dropping files such as these:


Q: How do you I make PIF files visible then?
A: Via a registry key called "NeverShowExt". We'd link you to an article in the Microsoft Knowledgebase… except we couldn't find any. But here's a Web page on the topic, from GeoCities, made by some hobbyist a couple of years ago. Maybe it's the best source of information on the topic.

Q: Do you still expect Microsoft to change the behavior of Explorer in Windows 7?
A: No, not really.

Bottom line: We still fail to see why Windows insists on hiding the last extension in the filename. It's just misleading.

<<< Security Advisory FSC-2009-1
What Did Darkmarket.ws Look Like? >>>