Powershell - Get all Windows file extensions from registry at HKEY_CLASSES_ROOT

Here's a Powershell script to traverse all the keys in the registry at HKEY-CLASSES-ROOT to get all Windows file extensions that start with a dot. 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

#============================================================================================================================================================ # AUTHOR: metadataconsult@gmail.com # WEBSITE: http://metadataconsulting.blogspot.com # # SCRIPT NAME: GetAllFileExtensions.ps1 # DATE: 17/10/2018 # VERSION: 1.0.0.0 # # SYNPOSIS: Get all file extensions from registry at HKEY_CLASSES_ROOT # #============================================================================================================================================================ #set HKCR hack New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $i=0 Get-ChildItem 'HKCR:\' | ForEach-Object { If($_.name -Match "^HKEY_CLASSES_ROOT\\\..+") { $i++ Write-Host $_.Name.Replace("HKEY_CLASSES_ROOT\","") } } "$i file extensions in Registry @ HKEY_CLASSES_ROOT\" $i=0 Get-ChildItem 'HKLM:\Software\Classes\' | ForEach-Object { If($_.name -Match "^HKEY_LOCAL_MACHINE\\Software\\Classes\\\..+") { $i++ Write-Host $_.Name.Replace("HKEY_LOCAL_MACHINE\Software\Classes\","") } } "$i file extensions in Registry @ HKEY_LOCAL_MACHINE\Software\Classes\" $i=0 Get-ChildItem 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\' | ForEach-Object { If($_.name -Match "^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\\..+") { $i++ Write-Host $_.Name.Replace("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\","") } } "$i file extensions in Registry @ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\"

My other Powershell scripts

• Simple System Info - get CPU,GPU,Memory,HD/SSD info on 1 line

Apple Phishing Email - Re: RE : [ Attentions Report Session ] [ Reminder Supports ] Your Details Accounts Has Been Locked Sessions

For the record, this is an Apple phishing email attempt that is recently going around and made it through spam filters. What to do?  Report them, goto bottom of page.

From : Apple Support  Subject :Re: RE : [ Attentions Report Session ] [ Reminder Supports ] Your Details Accounts Has Been Locked Sessions ATTACHED Apple-SupportIDAlert-ID1.8.docx CONTENTS - ALWAYS OPEN WITH WORD VIEWER ONLINE Apple Hi Customer, Your Apple ID will Be disable Because of Some Violated Policies The following changes to your Apple ID were made on Date and Time: 14 October 2018 We have noticed that your account information appears to be invalid and unverified. We need to verify your account information in order for you to keep continue using your Apple ID Account You need to sign and verify it as soon as possible, you should do this soon because disabled accounts are eventually deleted along emails, iCloud, and other data stored with Apple you should change your password as soon as possible from your Apple ID account page at https://appleid.apple.com. --- PHISHING LINK  Please verify your identity, we recommend that you go to Verify Now --- PHISHING LINK Sign In --- PHISHING LINK Sincerely, Apple Support Apple ID | Support | Privacy Policy All rights reserved. Copyright © 2018 Apple Inc. One Apple Park Way, Cupertino, CA 95014

It contains infected DOCX file: Apple-SupportIDAlert-ID1.8.docx

PHISHING LINKs;  

1. https://lihi.cc/iEPYq expands to -> https://secureserviced.serveirc.com/Auths

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the apple.com site then forget it.
   
   
3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.

Apple Phishing Email - Re: [New Statement] We Have sent notification the last information issued your Apple Password was updated.

For the record, this is an Apple phishing email attempt that is recently going around and made it through spam filters. What to do?  Report them, goto bottom of page.

From : Apple Support Subject : Re: [New Statement] We Have sent notification the last information issued your Apple Password was updated. This Apple lD has been locked for security reasons. Verification is required before 24 hours to get re-access your account. We have under maintenance service to improve our system to protect your account. Please updated your account on https://appleid.apple.com/support.verification-account -- PHISHING LINK Sincerely, Apple Support

PHISHING LINKs;  

1. https://pxlme.me/sHYbt7Jx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the apple.com site then forget it.
   
   
3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from apple.com.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.