Here the C# code to List all windows file extensions, highlighting suspect extensions that may link to malware.
If you need commercial license, email me. Contact as validated today, .Free for personal use.
Download WinExts.7z
Source Code:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using Microsoft.Win32; //************************************************************************************************* // Fri 13-Mar-26 3:25pm EDT MetadataConsulting.ca - // List all Windows file extensions (.txt, etc), and flag suspicious or non‑Unicode‑safe extensions // = Non‑ASCII characters // = Control characters // = Invisible characters // = Unicode homoglyphs (e.g., Cyrillic “а” instead of Latin “a”) // = Anything outside the normal [A–Z0–9._-] pattern //************************************************************************************************* namespace ListAllExtensionsinRegistry { class Program { static void Main() { var all = GetAllExtensionsMatchingPowerShell(); // Sort output var sorted = new List<string>(all); sorted.Sort(StringComparer.OrdinalIgnoreCase); // Determine padding width for extension column int maxExtLen = 0; foreach (var ext in sorted) if (ext.Length > maxExtLen) maxExtLen = ext.Length; Console.WriteLine( "Extension".PadRight(maxExtLen + 2) + "Program".PadRight(40) + "FriendlyTypeName".PadRight(40) + "Open Command" ); foreach (var ext in sorted) { bool suspicious = IsSuspicious(ext); string displayExt = suspicious ? ext + " *???" : ext; string progId = GetAssociatedProgram(ext); if (string.IsNullOrEmpty(progId)) progId = "(none)"; string friendly = GetFriendlyTypeName(progId); if (string.IsNullOrEmpty(friendly)) friendly = "(none)"; string openCmd = GetOpenCommand(progId); if (string.IsNullOrEmpty(openCmd)) openCmd = "(none)"; Console.WriteLine( displayExt.PadRight(maxExtLen + 3) + progId.PadRight(40) + friendly.PadRight(40) + " " + openCmd ); } } static HashSet<string> GetAllExtensionsMatchingPowerShell() { var set = new HashSet<string>(StringComparer.OrdinalIgnoreCase); // HKCR (merged) AddFromView(set, RegistryHive.ClassesRoot, RegistryView.Registry64); AddFromView(set, RegistryHive.ClassesRoot, RegistryView.Registry32); // HKLM\Software\Classes AddFromView(set, RegistryHive.LocalMachine, RegistryView.Registry64, @"Software\Classes"); AddFromView(set, RegistryHive.LocalMachine, RegistryView.Registry32, @"Software\Classes"); // HKCU\FileExts AddFromView(set, RegistryHive.CurrentUser, RegistryView.Registry64, @"Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts"); AddFromView(set, RegistryHive.CurrentUser, RegistryView.Registry32, @"Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts"); return set; } static void AddFromView(HashSet<string> set, RegistryHive hive, RegistryView view, string subKeyPath = null) { try { using (var baseKey = RegistryKey.OpenBaseKey(hive, view)) using (var key = subKeyPath == null ? baseKey : baseKey.OpenSubKey(subKeyPath)) { if (key == null) return; foreach (var name in key.GetSubKeyNames()) { try { if (name.StartsWith(".")) set.Add(name); } catch { } } } } catch { } } // Lookup associated program (ProgID) static string GetAssociatedProgram(string ext) { try { using (var key = Registry.ClassesRoot.OpenSubKey(ext)) { if (key == null) return null; return key.GetValue(null) as string; // default value = ProgID } } catch { return null; } } // Lookup FriendlyTypeName static string GetFriendlyTypeName(string progId) { if (string.IsNullOrEmpty(progId)) return null; try { using (var key = Registry.ClassesRoot.OpenSubKey(progId)) { if (key == null) return null; // FriendlyTypeName may be a resource string like "@shell32.dll,-12345" var val = key.GetValue("FriendlyTypeName") as string; if (!string.IsNullOrEmpty(val)) return val; // Fallback: default value sometimes contains a readable name var def = key.GetValue(null) as string; return def; } } catch { return null; } } // Lookup open command from ProgID static string GetOpenCommand(string progId) { if (string.IsNullOrEmpty(progId)) return null; try { using (var key = Registry.ClassesRoot.OpenSubKey( progId + @"\shell\open\command")) { if (key == null) return null; return key.GetValue(null) as string; } } catch { return null; } } // Detect suspicious or non-standard extensions static bool IsSuspicious(string ext) { if (ext == "." || string.IsNullOrEmpty(ext)) return true; foreach (char c in ext) { if (c < 32 || c > 126) return true; if (!(char.IsLetterOrDigit(c) || c == '.' || c == '_' || c == '-')) return true; } return false; } } }
No comments:
Post a Comment