In software field, we often are confused to the meaning of shell. In different situation it represents different stuff. Here, we define it as a kind of special way to start automatically. It is to replace a normal program with a special program, and in this special program you can arrange own codes before calling the original normal program. By this way, users are unnoticed to the tiny changes in execution of their program, and you can run own codes as long as the original normal program get chance to run. Undoubtedly, this method to start automatically is common in the world of spyware.

We once discussed the Although the Usually, the Userinit entry must include Userinit.exe. If, by any reason, Winlogon process could not launch the programs defined in Userinit entry, Winlogon process would directly go to process the executable files in another entry of same sub-key. The backup entry is named Shell. You maybe feel familiar. Yes, as you guess, its default value is Explorer.exe in Windows 2K/XP. The relationship of Userinit and Shell shows Userinit.exe should to do more than Explorer.exe. It seems to be the new form or new development of Explorer.exe in new operating system. The fact is as you estimate. Userinit.exe is responsible for the launch of program shell, and executes the script files for registration, re-establishes the network connections and then launches the Explorer.exe.

After understanding these, developers never feel regretful for Microsoft to ignore the In any operating system, there is only one program shell like Explorer.exe. It seems to hint that shell is not an ideal way to start automatically. If developer just copy a bunch of examples to hack Explorer.exe, of course, the spyware will be cleaned quickly. In fact, Explorer.exe is only a particular instance in shell family. In windows, developers have many chances to implement automatic starting with shell.

For example, you certainly have experience to use Word, a word process tool of Office. Besides starting it through menu or command line, you might invoke it by clicking a file with doc extension. Namely, when you want to deal with a file, Windows will try to find out what utility, usually program, is suitable to treat it. Operating systems do this decision depending on the data that maps a kind of file with a certain process program. The file type is described with its extension, such as exe, com, txt, and doc as we mentioned. In other word, each type of file is associated with its process program. If developers get mapping data, change an original program into own one. What will happen? Only a file of corresponding type is needed to process, spyware program will be activated. Definitely, developers can start spyware automatically by the feature of Windows.

Surely, you already guess where the mapping data is stored. In following sub-keys of registry, you can get some of them. As a matter of fact, file type of Windows can be defined under requirement, and many developers or company indeed create own file type. So the number of this kind of sub-key is various. However, because developers want to launch spyware depending on processing of other files, these files that lead to start automatically had better be in common types.

• HKEY_CLASSES_ROOT\exefile\shell\open\command
• HKEY_CLASSES_ROOT\regfile\shell\open\command
• HKEY_CLASSES_ROOT\txtfile\shell\open\command
• HKEY_CLASSES_ROOT\inifile\shell\open\command
• HKEY_CLASSES_ROOT\Scrfile\shell\open\command
• HKEY_CLASSES_ROOT\comfile\shell\open\command
• HKEY_CLASSES_ROOT\batfile\shell\open\command
• HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
• HKEY_CLASSES_ROOT\piffile\shell\open\command

By default, the value of these sub-keys is “%1” %*. If one of them is changed to as “somefilename.exe %1” %*, Windows will automatically invoke the specified file when processing the file that happen to be in corresponding type.