Which of the following best describes a Windows Registry change that redirects the default program used to open common document types (such as .txt or .docx) to an unknown executable located in an unexpected directory?
It is standard behavior for legitimate third-party document viewers and can be safely ignored.
It is a recommended performance-optimization technique to speed up document loading.
It is a strong indicator of malware or unauthorized tampering that warrants immediate investigation.
It is typically harmless and often left over from normal Windows updates.
Redirecting default file associations in the Windows Registry to an unknown or suspicious executable is a classic persistence technique (MITRE ATT&CK T1546.001). Attackers use it so that whenever a user opens a normal document, the malicious program launches, often without the user noticing. Such changes are rarely legitimate and should be investigated immediately. Routine operating-system updates and legitimate software generally point file associations to known, signed executables located in standard paths.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Windows Registry and why is it important?
Open an interactive chat with Bash
What is the MITRE ATT&CK technique T1546.001 for persistence?
Open an interactive chat with Bash
How can administrators investigate and remediate suspicious file association changes in the Windows Registry?