pudelein Posted July 3, 2010 I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [imageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately). Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007). Share this post Link to post Share on other sites
SUPERAntiSpy Posted July 3, 2010 I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [imageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately). Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007). I would simply trust that detection as many threats do the exact same thing. Share this post Link to post Share on other sites
paradj Posted September 23, 2010 I would simply trust that detection as many threats do the exact same thing. not if what sas is looking at is wrong... maybe it needs to check and see exactly what is in those keys as opposed to what is assumed. any scanner worth it's salt should verify the contents or it's pointers and not just by the reg key placement. one of the aspects of process explorer that i value is it's ability to verify running components. Please do more than just suspect the key value. Share this post Link to post Share on other sites
LxCi Posted August 19, 2012 Administrator, I also have this same message with the same SysInternals, now a part of Microsoft, "procexp.exe" with the option to replace the Task Manager of Windows which I have done. This should NOT be labeled as a threat muchless a CRITICAL one. It is a valid Microsoft software created by Mark Russinovich when he had the company SysInternals, now added to Microsoft. TIA, CU L8R, LxCi Share this post Link to post Share on other sites
LxCi Posted August 19, 2012 (edited) Administrator, This is my versions copied from your website as I have just done an update this morning: Core Definitions 9083 08/18/2012 01:10AM PDT 11584KB Download Installer Trace Definitions 6895 TIA, CU L8R, LxCi P.S. The entry "#Debugger" was entered by Process Explorer and added the path to my copy of SysInternals' program as quoted in previous message. Here is the log created by SuperAntiSpyware FREE Edition below the asterisk (*) line: ************************************************************************************************************* SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 08/19/2012 at 07:39 AM Application Version : 5.5.1012 Core Rules Database Version : 9083 Trace Rules Database Version: 6895 Scan type : Quick Scan Total Scan Time : 00:04:40 Operating System Information Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601) UAC Off - Limited User Memory items scanned : 508 Memory threats detected : 0 Registry items scanned : 57490 Registry threats detected : 2 File items scanned : 10313 File threats detected : 0 Security.HiJack[imageFileExecutionOptions] (x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE (x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE#Debugger Edited August 19, 2012 by LxCi Share this post Link to post Share on other sites