ESET NOD32 Antivirus messes with my context menu

[xkajxkajx 3]

After updating , I am seeing " 1-Open folder location , 2- Include in library and  3- Pin to start"  in my context menu .

Tried to remove them in the registry, but they keep coming back everytime I reboot or log off ?!.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

What's going on ? Please help .

I am using Windows 10 Enterprise

ESET NOD32 ANTIVIRUS 12

THANKS.

[Marcos 5,070]

I assume that temporarily uninstalling ESET would not make any difference. Please try it in order to rule out ESET being the culprit.

[xkajxkajx 3]

 

Sir, I am not guessing here or accusing ESET. I'm sure about it because every time I uninstall ESET ,everything is ok .

P.S.  I uninstalled and installed ESET " In Safe Mode " (four times)  This is how and why I have discovered  the issue .

Could please try to remove "Include in library" from your own right click and reboot and  then see what happens ?

THANKS

Edited December 17, 2018 by xkajxkajx

[Super_Spartan 56]

You can use Winaero Tweaker to edit the context menu items.

 

Open folder location is a part of Windows and cannot be removed.

 

 

[xkajxkajx 3]

Hi, I have aready used " WinaeroTweaker" and other registry tricks and tools before your kind suggestion but in vain.

Why don't you use " WinaeroTweaker"  in yours and see what happens after restarting ?

I'm not asking how to remove the entries but how to keep them removed permanently.

I think you are wrong about " Open folder location is a part of Windows and cannot be removed " ! ? .Yes you can. Just google it .

Please ! These entries are removed in my context menu for months without any issue. "AFTER UPDATING ESET, THEY ARE STUCK IN THERE"

THANKS FOR YOUR REPLY.

 

[xkajxkajx 3]

Hi,

Is anybody there ?

I'm waiting for someone to respond .

I feel I'm the only one who has this problem !?.

THANKS

[itman 1,659]

On ‎12‎/‎16‎/‎2018 at 9:06 PM, xkajxkajx said:

Tried to remove them in the registry, but they keep coming back everytime I reboot or log off ?!.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

According to this article: https://www.techspot.com/guides/1670-windows-right-click-menu/ , you're not deleting the entries from the correct registry keys:

Quote

Navigate to Computer\HKEY_CLASSES_ROOT\*\shell and Computer\HKEY_CLASSES_ROOT\*\shellex to find many application context menu entries and delete the ones you no longer want.

 

[xkajxkajx 3]

With all due respect ,the entries I'm talking about are NOT in :

1. HKEY_CLASSES_ROOT\*\shell

or

2. HKEY_CLASSES_ROOT\*\shellex

They are located in

1.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

2.HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Library Location

Read this one carefully "https://www.howtogeek.com/howto/windows-vista/how-to-clean-up-your-messy-windows-context-menu/

 

Again,  we are not talking about the location of the registry entries. We are talking about " Why do they insist coming back? "

I did uninstall ESET and wait (2 hours  booting and rebooting ) to make sure if these entries are coming back or not .Guess what ? they don't.

COULD PLEASE TELL ME WHY ?

I think ESET is restricting  MY USER ACCOUNT  to delete or modify  some registry entries . PROVE ME WRONG .

THNX

 

 

 

 

[Super_Spartan 56]

10 hours ago, xkajxkajx said:

With all due respect ,the entries I'm talking about are NOT in :

1. HKEY_CLASSES_ROOT\*\shell

or

2. HKEY_CLASSES_ROOT\*\shellex

They are located in

1.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

2.HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Library Location

Read this one carefully "https://www.howtogeek.com/howto/windows-vista/how-to-clean-up-your-messy-windows-context-menu/

 

Again,  we are not talking about the location of the registry entries. We are talking about " Why do they insist coming back? "

I did uninstall ESET and wait (2 hours  booting and rebooting ) to make sure if these entries are coming back or not .Guess what ? they don't.

COULD PLEASE TELL ME WHY ?

I think ESET is restricting  MY USER ACCOUNT  to delete or modify  some registry entries . PROVE ME WRONG .

THNX

 

 

 

 

Sorry I might have misunderstood you. How can I see this Open Folder Location context menu? I tried right clicking on a folder but can only see "Open in New Window""

 

also, when doing changes to the registry, you need to disable NOD32 first as it prevents tampering with the registry. Disable NOD32, do the changes that you want then reboot immediately,

[itman 1,659]

13 hours ago, xkajxkajx said:

I think ESET is restricting  MY USER ACCOUNT  to delete or modify  some registry entries . PROVE ME WRONG .

If this was the case, you should have been receiving HIPS alerts about modification of registry keys. Did you check your Eset HIPS log for entries related to your registry modification activities? If none of the prior apply, Eset is not preventing any of the registry key modifications you are performing.

[xkajxkajx 3]

Hi, Ultra Mate

 *I don't know why you can not see "Open Folder Location" in your right click menu ? Maybe you deleted it

*I think "Open Folder Location , Pin to Start , Include in library and other context menu entries" come  with Windows 10  by default.

* I did your trick " disable ESET and remove the entries and reboot immediately  " but the same thing happens.

* If you have "Inculde in libray and Pin to Start ' in yours ,could you or ANYBODY please remove them and tell me what happens ?

 Warning ! You should export them as a backup before doing that . Just in case .

 

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Library Location

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\PintoStartScreen

 

Just wait almost 2 minutes after rebooting and check them up.

 

_______________________

Hi, itman

I have checked HIPS logs and  found zero alert.

If ESET is not responsibe ,then who?

How could you explain why the "removed registry entries" won't come back again when  ESET is not running  in my notebook ?

Something fishy !?

Please let's focus on this particular issue.

THANX

[itman 1,659]

Try using Autoruns to disable the Context Menu items. Screen shot given below. The advantage of Autoruns is it first, will modify the associated registry keys by simply unchecking the shown associated item. Next, the registry keys are only modified and not permanently deleted. Simply recheck marking the item reactivates the associated registry key.

Note: when opening Autoruns for the first time,  click on the Option tab and remove the checkmarks for "Hide Microsoft and Windows entries." This will ensure all Windows settings are shown. Also you will have to run Autoruns as admin to perform most registry modification activities. 

[xkajxkajx 3]

Hi itman,

I did as you said and here is the sreenshots I have taken:

FIRST SHOT

SECOND SHOT

Here is  a screenshot of my context menu:

Autoruns is not telling me who recreates these entries ,isn't it ?

Sir, I'm getting crazy about it .Need your help.

THANX

[itman 1,659]

12 hours ago, xkajxkajx said:

Sir, I'm getting crazy about it .Need your help.

Did you reboot immediately after making the Autoruns changes?

Also you posted that you are using Win 10 Enterprise. You sure you don't have any Group Policy rule set in regards to context menu changes? It sure appears to me that Windows is re-adding those menu items regardless of any deletion of same on your part.

It also seems reasonable to me that Win 10 will not allow for Pin to Start menu to be disabled for example, since Win Store apps will auto add any new app to it.

Edited December 23, 2018 by itman

[xkajxkajx 3]

Hi,

Yes, I rebooted immediately after making the Autoruns changes .

 Windows Store application is disabled:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore]
"AutoDownload"=dword:00000002
"RemoveWindowsStore"=dword:00000001

I don't know if I have any Group Policy rule set in regards to context menu changes or not . how to tell ?

I general, I rarely mess with Group Policy rules. I agree with you that "Group Policy " is a possible reason .

So ,could you tell me how to make sure of that, I mean in Group Policy settings ?

THANK YOU .

 

[xkajxkajx 3]

Hi ,

I feel I'm totatlly ignored ?!?!

Here I am asking enybody to remove the following entries from his/her registry  to check and give me a feedback (AFTER BACKING THEM UP)   :

" 1-Open folder location , 2- Include in library and  3- Pin to start"  in the context menu  

 

1-Open folder location

HKEY_CLASSES_ROOT\.symlink\shellex\ContextMenuHandlers\OpenContainingFolderMenu

HKEY_CLASSES_ROOT\LibraryLocation\ShellEx\ContextMenuHandlers\OpenContainingFolderMenu

HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu

HKEY_CLASSES_ROOT\RecentDocument\ShellEx\ContextMenuHandlers\OpenContainingFolderMenu

HKEY_CLASSES_ROOT\Results\ShellEx\ContextMenuHandlers\OpenContainingFolderMenu

2- Include in library

HKEY_CLASSES_ROOT\Folder\ShellEx\ContextMenuHandlers\Library Location

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location

3- Pin to start

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\PintoStartScreen

HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\PintoStartScreen

HKEY_CLASSES_ROOT\Microsoft.Website\ShellEx\ContextMenuHandlers\PintoStartScreen

HKEY_CLASSES_ROOT\mscfile\shellex\ContextMenuHandlers\PintoStartScreen

************************************************************************************

ANOTHER IDEA

If this is too much to ask then I would like to know how to edit NOD32 (HIPS rules) to  BLOCK these entries from re-adding again when I reboot ?

Can you give me only one example ?

Thanx

 

 

Edited December 28, 2018 by xkajxkajx

[Marcos 5,070]

43 minutes ago, xkajxkajx said:

I feel I'm totatlly ignored ?!?

Quite the contrary. There is a handful of users who have been trying to help you. Your post was not left unanswered.

[xkajxkajx 3]

Hi Marcos,

You know what ? Today I tried to disable these entries in the safe mode .

They never come back in the safe mode  for almost 6 minutes simply because NOD32 IS NOT RUNNING THERE. Am I right ? 🤔

After rebooting to the real mode, they are not there for only 2 minutes .I was watch the harddisk light to see what's cooking.

When the harddisk light is flashing now .It means something is going on. What is it? Right click a folder immediately and you will see the devil entries coming back . WHY?☹️😭

SIR, I HAVE NEVER EVER FACED LIKE THIS STUPID PROBLEM IN MY LIFE . I HAVE TRUSTED NOD32 FOR MANY YEARS.

Frankly ,I'm tired of it.

THANX

[Marcos 5,070]

In safe mode, almost no application is running, not only ESET.

On my machine I don't have those registry values and have ESET installed.

Try the following:
- in normal mode, delete the registry keys/values
- run Procmon and select to create a boot log as per
- reboot the machine
- check the registry if the keys/values exist
- stop logging in Procmon, save the log, compress it, upload it to a safe location and provide me with a download link.

[xkajxkajx 3]

Hi,

"On my machine I don't have those registry values and have ESET installed. " 

I don't get it .You mean you removed them ? I think they exist by default when you install Windows 10.

You did't answer may  previous question:

How could you explain the "removed registry entries" won't come back again when  ESET is not running  in my notebook ?

NOTE : I have a Symantec Ghost backup 3 monthes ago. When I restore it ,everything is perfect .

As usual ,ESET is updating and upgrading (v.10 to v.12) and ask me to restart.

I did restart and changes happen magically.

 

Anyway, I did exactly as you told me and here you have the files.

https://drive.google.com/open?id=1QAgMS85r-Rp2gOBX8-6meeAdwdRKUceB
https://drive.google.com/open?id=1NrzcRWHse0wZHchrsi94lE3HfqxU9YSE
https://drive.google.com/open?id=1IDJyrZNV0D8hv4qV_EvlnvnaD3gmDSwl  
https://drive.google.com/open?id=1UTVdI1cxCazBrXcosKnemr7r_6RrD9fe
https://drive.google.com/open?id=1InrWumi_e2iExdGzrO0DwtXJNicuSmzs
 

Thanx

 

[stackz 112]

@Marcos, I think you'll find the  last log - Logfile1.7z - to be the log of interest.

 

[xkajxkajx 3]

Hi,

On 12/28/2018 at 9:19 AM, stackz said:

@Marcos, I think you'll find the  last log - Logfile1.7z - to be the log of interest.

Could you please elaborate ?

Some details ,please !

THANX

[xkajxkajx 3]

Hi,

I thought  I was wrong when I said ESET IS MESSING UP WITH MY CONTEXT MENU.But here is another evidence.

Desperately , I have made 2 registry shots for my pc using NirSoft's "RegistryChangesView.exe". One before updating ESET and the other is after that.

After making comparison between the 2 shots, I have found a lot of changes in registry especially in my context menu.

Many keys were added and modified and removed. You can see all changes in the " text file" I have uploded.

RegistryChangesView.txt

THE BIG QUESTION IS WHO DID THIS?

YOU CAN NOT EVEN DELETE THEM " the ones in the ContextMenuHandler keys "  FOR EVER.

It seems I can not control my context menu anymore !

PLEASE , THIS DRIVES ME CRAZY . I AM REALLY DESPERATE AND DISAPPOINTED.

NOTICE, I DID NOTHING  BUT UPDATING  ESET. I MEAN IT "NOTHING" .

Thanks

 

[stackz 112]

On 1/8/2019 at 11:01 PM, xkajxkajx said:

Hi,

Could you please elaborate ?

Some details ,please !

THANX

Logfile1 clearly shows ESET's service, ekrn.exe, creating the shellex keys and setting their default values. I've attached a jpeg image of the process monitor output for clarification.

 

[xkajxkajx 3]

Hi stackz,

Thank you for your cooperarion.You are a big help,but why  ESET insist creating these registry keys ? and how to stop it from doing unwanted things?
Is it because of security ?
Frankly, I don't like it .

 

P.S.: This applies to Windows 7 (64bit).

Thankx

Edited January 20, 2019 by xkajxkajx