You can also enable auditing on registry keys (just like on files). You might be able to track down when/what is changing the value.
Cheers Ken From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Tuesday, 18 March 2008 10:50 PM To: NT System Admin Issues Subject: RE: Strange excel registry string I've only been able to find 2 forum threads regarding this, and neither are conclusive: Russian forum: http://translate.google.com/translate?hl=en&sl=ru&u=http://forum.windowsfaq.ru/showthread.php%3Ft%3D84442&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3D%2522MKKSkEXCELFiles%2522%26hl%3Den%26safe%3Doff%26rls%3Dcom.microsoft:*%26sa%3DG Chinese forum: http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://bbs.onegreen.net/dispbbs.asp%3FboardID%3D2%26ID%3D10419%26page%3D1&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dl2xaTO5%26hl%3Den%26safe%3Doff%26rls%3Dcom.microsoft:* On Mon, Mar 17, 2008 at 4:06 PM, Oliver Marshall <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: Hi chaps. I'm running Office 2007 on my vista box, and every now and again (prob once a day or so) excel refuses to open any Excel files (xls, xlsx, csv etc) whether its from a file location or from an attachment. Each time this happens the HKCR\Excel.sheet.12\shell\open\command key contains this string; w_1^VX!!!!!!!!!MKKSkEXCELFiles>[EMAIL PROTECTED] /e removing this solves the issue. This doesn't look like a normal reg entry. Anyone know what might be causing this ? Olly ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ -- ME2 Could it be another attack vector on the newly announced Excel vulnerabilities? Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2008 4:45 PM To: NT System Admin Issues Subject: Re: Strange excel registry string ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
