Hklmsoftwarewow6432node\microsoftmediaplayer shiminclusionlistbrowser.exe — что это такое?
Запись, которая появляется в следствии работы вируса на ПК, который может устанавливать и запускать браузер в фоновом режиме для выполнения определенных действий.
Данная запись может например обнаружиться при использовании утилиты AdwCleaner.
Эта запись означает что на ПК присутствует вирус, который возможно не так просто удалить.
Что это может быть за вирус:
- Показывает рекламу при помощи установки собственного браузера. При этом показывать может в скрытом режиме. Собственный браузер может быть на основе Яндекс Браузер, так как у него название процесса точно такое же (browser.exe).
- Выполнять другие действия, например автоматически просмотр сайтов, какие-то действия на сайтах, например регистрация аккаунтов и прочее.
Aliases
Aliases in the Windows 9x registry:
Always back up the registry first (yes, always)
Hopefully, this was your initial thought as well, but before you get into any of the specific to-dos outlined in the next several sections, start by backing up the registry.
Basically, this involves selecting the keys you’ll be removing or making changes to, or even the entire registry itself, and then exporting it to a REG file. See How to Back Up the Windows Registry if you need help.
If your registry edits don’t go well and you need to undo your changes, you’ll be very happy that you were proactive and chose to back up.
Avoid registry wow6432node redirection
Here is the working code I have developed to both read and write ONLY the 32-bit registry. It works in both 32-bit and 64-bit applications. The ‘read’ call updates the registry if the value is not set, but it is very obvious how to remove that. It requires .Net 4.0, and uses the OpenBaseKey/OpenSubKey methods.
I currently use it to allow a 64-bit background service and a 32-bit tray application to access the same registry keys seamlessly.
using Microsoft.Win32;
namespace SimpleSettings
{
public class Settings
{
private static string RegistrySubKey = @"SOFTWAREBlahCompanyBlahApp";
public static void write(string setting, string value)
{
using (RegistryKey registryView = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
using (RegistryKey registryCreate = registryView.CreateSubKey(RegistrySubKey))
using (RegistryKey registryKey = registryView.OpenSubKey(RegistrySubKey, true))
{
registryKey.SetValue(setting, value, RegistryValueKind.String);
}
}
public static string read(string setting, string def)
{
string output = string.Empty;
using (RegistryKey registryView = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
using (RegistryKey registryCreate = registryView.CreateSubKey(RegistrySubKey))
using (RegistryKey registryKey = registryView.OpenSubKey(RegistrySubKey, false))
{
// Read the registry, but if it is blank, update the registry and return the default.
output = (string)registryKey.GetValue(setting, string.Empty);
if (string.IsNullOrWhiteSpace(output))
{
output = def;
write(setting, def);
}
}
return output;
}
}
}
Usage:
Put this in it’s own class file (.cs) and call it as such:
using SimpleSettings;
string mysetting = Settings.read("SETTINGNAME","DEFAULTVALUE");
Backups and recovery
Windows supports several methods to back up and restore the registry:
Command line editing
The registry can be manipulated in a number of ways from the command line. The reg.exe utility tool is included in Windows XP and later versions of Windows. Alternative locations for legacy versions of Windows include the Resource Kit CDs or the original Installation CD of Windows.
Also, a .REG file can be imported from the command line with the following command:
regedit.exe /s fileCriticism
While offering improvements over application-specific .INI files, the organization and implementation of the registry also has potential problems. Criticisms include the following:
Equivalents in other operating systems
In contrast to the Windows registry’s binary-based database model, some other operating systems use separate plain-text files for daemon and application configuration, but group these configurations together for ease of management.
External links
az:Reestrcs:Registr Windowsfa:محضرخانه ویندوزko:윈도 레지스트리he:Registryhu:A Windows rendszerleíró adatbázisanl:Register (Windows)ja:レジストリpt:Registro do Sistemasq:Regjistri i sistemitsr:Регистар Мајкрософт виндоуза
Group policy
Windows 2000 and later versions of Windows use Group Policy to enforce Registry settings. Policy may be applied locally to a single computer using GPEdit.msc, or to multiple computers in a domain using gpmc.msc.
Hives
The Registry is split into a number of logical sections, or “hives”[4] (the reason the word hive was used is an in-joke).[5] Hives are generally named by their WindowsAPI definitions, which all begin “HKEY”. They are abbreviated to a three- or four-letter short name starting with “HK” (e.g. HKCU and HKLM).
Hkey_current_config (hkcc)
Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at the boot time. It is a link to HKEY_LOCAL_MACHINESystemCurrentControlSetHardware ProfilesCurrent.
Hkey_dyn_data
This key is used only on Windows 95, Windows 98 and Windows Me.[10] It contains information about hardware devices, including Plug and Play and network performance statistics. The information in this hive is also not stored on the hard drive.
Hkey_local_machine (hklm)
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer.[9] On NT-based versions of Windows, HKLM contains four subkeys, SAM, SECURITY, SOFTWARE and SYSTEM, that are found within their respective files located in the %SystemRoot%System32config folder.
A fifth subkey, HARDWARE, is volatile and is created dynamically, and as such is not stored in a file. Information about system hardware drivers and services are located under the SYSTEM subkey, while the SOFTWARE subkey contains software and Windows settings.
How to add new registry keys and values
Randomly adding a new registry key or a collection of registry values probably won’t hurt anything, but it isn’t going to do you much good, either.
However, there are a few instances where you might add a registry value, or even a new registry key, to the Windows Registry to accomplish a very specific goal, usually to enable a feature or fix a problem.
For example, an early bug in Windows 10 made two-finger scrolling on the touchpad on some Lenovo laptops stop working. The fix involved adding a new registry value to a specific, pre-existing registry key.
No matter what tutorial you’re following to fix whatever issue, or add whatever feature, here’s how to add new keys and values to the Windows Registry:
Execute regedit to start Registry Editor. See How to Open Registry Editor if you need help.
On the left side of the editor, navigate to the registry key that you want to add another key to, usually referred to as a subkey, or the key you want to add a value to.
Once you’ve located the registry key you want to add to, you can add the key or value you want to add:
- If you’re creating a new registry key, right-click or tap-and-hold on the key it should exist under and choose New > Key. Name the new registry key and then press Enter.
- If you’re creating a new registry value, right-click or tap-and-hold on the key it should exist within and choose New, followed by the type of value you want to create. Name the value, press Enter to confirm, and then open the newly created value and set the Value data it should have.
Close the open Registry Editor window.
Restart your computer, unless you’re sure the new keys and/or values you’ve added won’t need a restart to do whatever it is they’re supposed to do. Just do it if you’re not sure.
Hopefully, whatever thing you were trying to accomplish with these registry additions worked out, but if not, check again that you added the key or value to the correct area of the registry and that you’ve named this new data properly.
How to delete registry keys & values
As crazy as it sounds, you might sometimes need to delete a registry key or value, most often to fix a problem, likely caused by a program that added a particular key or value that it shouldn’t have.
Don’t forget to back up, and then follow these steps exactly to remove a key or value from the Windows Registry:
Start Registry Editor by executing regedit from any command-line area in Windows. See How to Open Registry Editor if you need a bit more help than that.
From the left pane in Registry Editor, drill down until you locate the registry key that you want to delete or the key that contains the registry value you want to remove.
You can’t delete registry hives, the top-level keys you see in the editor.
Once found, right-click or tap-and-hold on it and choose Delete.
Remember that registry keys are a lot like the folders on your computer. If you delete a key, you’ll also delete any keys and values that exist within it! That’s great if that’s what you want to do, but if not, you may need to dig a bit deeper to find the keys or values you were really after.
Next, you’ll be asked to confirm the key or value deletion request, with either a Confirm Key Delete or Confirm Value Delete message, respectively, in one of these forms:
- Are you sure you want to permanently delete this key and all of its subkeys?
- Deleting certain registry values could cause system instability. Are you sure you want to permanently delete this value?
In Windows XP, these messages are slightly different:
- Are you sure you want to delete this key and all of its subkeys?
- Are you sure you want to delete this value?
Whatever the message, select Yes to delete the key or value.
Restart your computer. The kind of thing that benefits from a value or key removal is usually the kind of thing that requires a PC restart to take effect.
How to rename & make other changes to registry keys and values
Like you read above, adding a new key or value that doesn’t have a purpose doesn’t usually cause a problem, but renaming an existing registry key, or changing the value of an existing value, will do something.
Hopefully, that something is what you’re after, but we make this point to stress that you should be very careful when changing existing parts of the registry. Those keys and values are already there, presumably for a good reason, so make sure whatever advice you’ve gotten that led you to this point is as accurate as possible.
So long as you’re careful, here’s how to make different kinds of changes to existing keys and values in the Windows Registry:
Execute regedit to start Registry Editor. Anywhere you have command line access will work fine. See How to Open Registry Editor if you need help.
On the left side of Registry Editor, locate the key you want to rename or the key that contains the value you want to change in some way.
You can’t rename registry hives, the top-level keys in the Windows Registry.
Once you’ve located the part of the registry you want to make changes to, you can actually make those changes:
- To rename a registry key, right-click or tap-and-hold on the key and choose Rename. Give the registry key a new name and then press Enter.
- To rename a registry value, right-click or tap-and-hold on the value on the right and choose Rename. Give the registry value a new name and then press Enter.
- To change a value’s data, right-click or tap-and-hold on the value on the right and choose Modify…. Assign a new Value data and then confirm with the OK button.
Close Registry Editor if you’re done making changes.
Restart your computer. Most changes to the registry, especially those that impact the operating system or its dependent parts, won’t take effect until you’ve restarted your computer, or at least signed out and then back into Windows.
Keys and values
The registry contains two basic elements: keys and values.
Registry Keys are similar to folders – in addition to values, each key can contain subkeys, which may contain further subkeys, and so on. Keys are referenced with a syntax similar to Windows’ path names, using backslashes to indicate levels of hierarchy. E.g.
There are six Root Keys:
Manual editing
Windows 3.11 Registry Editor
The Windows registry can be edited manually using programs such as regedit.exe and regedt32.exe.
As a careless change could cause irreversible damage, a backup of the registry before editing is recommended by Microsoft.
A simple implementation of the current registry tool appeared in Windows 3.x, called the “Registration Info Editor” or “Registration Editor”. This was basically just a database of applications used to edit embedded OLE objects in documents.
Open registry directly to a given key?
I use a powerful macro program (QWin) all of the time, primarily to type frequently used things. QMenu also has the ability to RUN applications.
When I told the author, Gary Chanson, about regjump and asked if it might be possible to pass the clipboard contents as a command argument, he updated it to allow passing the contents of the clipboard buffer as a variable which means;
When I now copy any key to the clipboard, all I have to do is hit the kotkey for QMenu and type “J” to go directly to that key in Regedit.
However, while the above works in XP, in Win7/8 QMenu fails because of the os’ restrictions on running executables. While it would work by setting qMenu up as “RUN as admin” that required approving every keyboard macro that I called. Solution? Set QMenu up to RUN a shortcut for RegJump, and set the shortcut up to “RUN as admin. (you can pass an argument to a shortcut which will pass it on to the program it launches)
If QMenu sounds interesting, I have a page about using it at bevhoward.com/WinTools.htm
Note, while I have been using Gary’s tools for many years, different AV programs have flagged some of the files as infected… in the case of the updated QMenu, it got flagged by Avast, but the issue is supposed to be resolved with their next update.
Hope that this information is of value.
Beverly Howard
Programs or scripts
The registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll).[16]
| List of Registry API functions | |||
|---|---|---|---|
| RegCloseKey | RegOpenKey | RegConnectRegistry | RegOpenKeyEx |
| RegCreateKey | RegQueryInfoKey | RegCreateKeyEx | RegQueryMultipleValues |
| RegDeleteKey | RegQueryValue | RegDeleteValue | RegQueryValueEx |
| RegEnumKey | RegReplaceKey | RegEnumKeyEx | RegRestoreKey |
| RegEnumValue | RegSaveKey | RegFlushKey | RegSetKeySecurity |
| RegGetKeySecurity | RegSetValue | RegLoadKey | RegSetValueEx |
| RegNotifyChangeKeyValue | RegUnLoadKey | ||
Many programming languages offer built-in runtime library functions or classes that enable programs to store settings in the registry (e.g. Microsoft.Win32.Registry in VB.NET and C#, or TRegistry in Delphi).
COM-enabled applications like Visual Basic 6 can use the WSHWScript.Shell object. Another way is to use the Windows Resource Kit Tool, Reg.exe by executing it from code,[17] although this is considered poor programming practice.
Similarly, scripting languages such as Perl (with Win32::TieRegistry), Windows Powershell and Windows Scripting Host also enable registry editing from scripts.
Why is this code not pulling from the wow6432node node in the registry?
I have an anyCpu app that’s an AddIn for Office. As such, it is running in 32-bit mode on my syste as I have 32-bit Office. The following code is not using the WOW6432Node in the registry;
using (RegistryKey keyLic = Registry.LocalMachine.OpenSubKey("Software\Windward Studios\Auto Tag"))
I know it’s not because on creating it creates it in “HKLMSoftwareWindward StudiosAuto Tag” and on reading it it gets the value in “HKLMSoftwareWindward StudiosAuto Tag”. There is no “HKLMSoftwareWOW6432NoneWindward Studios” node in the registry.
And to be double sure – I just did a evaluate of IntPtr.Size in the debugger. It returns 4.
Windows 3.11
The registry file is Reg.dat,system.dat and is stored in the C:WINDOWS directory.
Как быть с реестром (пишет в wow6432node)?
Пишу программку, которая работает с реестром.
Записываю данные сюда: “Softwaremy-firm”. Раньше так и писало. Теперь пишет в “SOFTWAREWow6432Nodemy-firm”. Это перенаправление WOW64.
Что произошло – не пойму даже… Ничего такого не делал. Как это отключить?
Как удалить вирус?
Информации в интернете мало. Однако инфа находится даже за 2021 год, поэтому возможно на данный момент — вирус удаляется антивирусными утилитами, ниже я напишу какими стоит проверить. Пока просто проанализируйте некоторые вещи у себя на компьютере:
Заключение
Выяснили:
- HKLMSoftwareWow6432Node\MicrosoftMediaPlayerShimInclusionListbrowser.exe — запись от вируса, который предположительно устанавливает собственный браузер для показа рекламы или выполнения действий в браузере.
- Сам браузер может работать в фоновом режиме. Возможно вирус браузер не устанавливает, а использует установленный. Стандартно среди браузеров процесс browser.exe принадлежит одному браузеру — от Яндекса.
Удачи.
