{
	"id": "fc0cc9a6-8bdc-4f77-a4e3-d7cc324dc950",
	"created_at": "2026-04-06T00:15:19.626752Z",
	"updated_at": "2026-04-10T03:23:51.405037Z",
	"deleted_at": null,
	"sha1_hash": "886fef000ce8cb275b3476964c7f2b6dfe1024dd",
	"title": "Best Practices for File Associations (Windows)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65749,
	"plain_text": "Best Practices for File Associations (Windows)\r\nArchived: 2026-04-05 19:55:57 UTC\r\nThe following list are recommended best practices you should use when working with file associations.\r\nDo Not Copy File Associations from the Registry\r\nAvoid Hard-Coding Paths into the Registry Where Possible\r\nAlways Wrap Expanding Strings in Quotation Marks\r\nDo Not Confuse Autoplay/Autorun with File Associations\r\nDo Not Confuse the Internet Explorer MIME Database with File Associations\r\nUse Properly Formed and Versioned ProgIDs\r\nDo Not Use Short File Name Extensions\r\nRegister New File Types in the IANA MIME Database\r\nSign Up with the Windows Web Service for File Associations\r\nRelated topics\r\nDo Not Copy File Associations from the Registry\r\nWe recommended that you do not copy existing file associations from the registry. This often leads to the\r\npropagation of poorly formed file associations. Instead, you should follow the steps outlined in File Association\r\nSample Scenario.\r\nAvoid Hard-Coding Paths into the Registry Where Possible\r\nJust as hard-coding paths into programs can cause problems, hard-coding paths into the registry can also lead to\r\nproblems. Instead, you should use registry expansion strings (REG_EXPAND_SZ) to provide path independence\r\nwhere applicable. For example, instead of using this method:\r\n HKEY_CLASSES_ROOT\r\nMyVendor.MyProgram.1\r\nDefaultIcon\r\n(Default) = C:\\WINNT\\hta.exe,1\r\nYou should use this method:\r\n HKEY_CLASSES_ROOT\r\nMyVendor.MyProgram.1\r\nhttps://msdn.microsoft.com/en-us/library/cc144156.aspx\r\nPage 1 of 3\n\nDefaultIcon\r\n(Default) = \"%SYSTEMROOT%\\hta.exe,1\"\r\nAlways Wrap Expanding Strings in Quotation Marks\r\nExpanding strings can contain spaces when they expand. Because spaces are often interpreted as argument\r\ndelimiters, they cause problems under certain circumstances. For example, a command to invoke MyProgram can\r\nbe stored in the registry as:\r\n%SYSTEMROOT%\\MyProgram %1 %2\r\nMyProgram expects that %1 is the full path to a file name, and %2 is a switch to indicate some action. If this\r\ncommand is executed with arguments C:\\Program Files\\My Documents\\document.txt and /print, and assuming\r\na SYSTEMROOT of C:\\WINNT, it expands to:\r\nC:\\WINNT\\MyProgram C:\\Program Files\\My Documents\\document.txt /print\r\nIn this case, MyProgram interprets that the first argument is C:\\Program, and the second argument is Files\\My,\r\nwhich is not the intended behavior. The arguments are interpreted correctly, however, regardless of whether they\r\ncontain spaces, if the expanding strings are wrapped in quotation marks as follows:\r\n\"%SYSTEMROOT%\\MyProgram\" \"%1\" \"%2\"\r\nDo Not Confuse Autoplay/Autorun with File Associations\r\nFile Associations are similar to Autoplay/Autorun in some ways. However, Autoplay/Autorun offers separate and\r\ndistinct facilities from those provided by file associations. For more information see Creating an AutoRun-enabled\r\nCD-ROM Application.\r\nDo Not Confuse the Internet Explorer MIME Database with File Associations\r\nFile Associations are similar to the Windows Internet Explorer MIME database, in that file types can (and should)\r\ninclude a MIME type definition. However, the Internet Explorer MIME database is separate and distinct from file\r\nassociations.\r\nUse Properly Formed and Versioned ProgIDs\r\nAlways use versioned ProgIDs, even if there is only one version of the ProgID. Versioned ProgIDs help to avoid\r\nProgID conflicts and overwrites. They also enable different versions of an application to co-exist.\r\nDo Not Use Short File Name Extensions\r\nLong file name extensions offer the following advantages:\r\nThe limited length of short extensions make them prone to extension collisions. An extension collision\r\noccurs when the same extension is used to classify multiple file types. Using long extensions significantly\r\nhttps://msdn.microsoft.com/en-us/library/cc144156.aspx\r\nPage 2 of 3\n\ndecreases the chances of a collision.\r\nShort file names tend to be somewhat cryptic. Long extensions tend to be more meaningful because\r\nadditional information can be embedded in the extension.\r\nFor more information, see file name extensions.\r\nRegister New File Types in the IANA MIME Database\r\nThe Internet Assigned Numbers Authority (IANA) keeps a public database of registered MIME types. When\r\ndefining a new public file type, we recommended that you also define a MIME type for the file type and register\r\nthis type with the IANA. There is no cost for registration.\r\nSign Up with the Windows Web Service for File Associations\r\nApplication developers can sign up with the Windows Web Service that users use to find applications that can\r\noperate on specific file types. The process for signing up with the web service is detailed in Windows File\r\nAssociation System on-boarding process.\r\nFile Association Sample Scenario\r\nGuidelines for Managing Default Applications in Windows Vista and Later\r\nDefault Programs\r\nSet Program Access and Computer Defaults (SPAD)\r\nSource: https://msdn.microsoft.com/en-us/library/cc144156.aspx\r\nhttps://msdn.microsoft.com/en-us/library/cc144156.aspx\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/en-us/library/cc144156.aspx"
	],
	"report_names": [
		"cc144156.aspx"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434519,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/886fef000ce8cb275b3476964c7f2b6dfe1024dd.pdf",
		"text": "https://archive.orkl.eu/886fef000ce8cb275b3476964c7f2b6dfe1024dd.txt",
		"img": "https://archive.orkl.eu/886fef000ce8cb275b3476964c7f2b6dfe1024dd.jpg"
	}
}