The Windows “App Paths” Registry Key

This was news to me. Basically, not every app has to be on your PATH to be launched via executable name only (from anywhere).

For example, on my x64 Windows 7 machine, WordPad is located at:

<C:\Program Files\Windows NT\Accessories\wordpad.exe>

This is *not* set in my PATH environment variable. But I can go to Start > Run, and type wordpad, and it launches.

Why does this work? Because of “App Paths”.

<HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths>

http://helgeklein.com/blog/2010/08/how-the-app-paths-registry-key-makes-windows-both-faster-and-safer/

Why can you start Mozilla Firefox by typing “firefox” in the Run dialog and press enter? Firefox.exe is not located in any directory in the path. The same with Outlook (type “outlook”), PowerShell (“powershell”), VMware Workstation (“vmware”) or Adobe Reader (“acrord32″). This “magic application starting thingy” works because of a little-known Windows feature based on the “App Paths” registry key.

Windows API developer Raymond Chen has more detail on the feature and history on why “App Paths” registry key was created in the first place.

http://blogs.msdn.com/b/oldnewthing/archive/2011/07/25/10189298.aspx

Also note that malware could use this as well. Raymond Chen clarifies it well:

Now, the intent was that the registered full path to the application is the same as the registered short name, just with a full path in front. For example, wordpad.exe registers the full path of %ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE.

But there’s no check that the two file names match. The Pbrush folks took advantage of this by registering an application path entry for pbrush.exe with a full path of %SystemRoot%\System32\mspaint.exe: That way, when somebody types pbrush into the Run dialog, they get redirected to mspaint.exe.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s