Installer creates startup entries for registering DLLs, doesn't tell you

This post is just an FYI for anyone else that comes across this behavior and executable files that are named like they're malware. TLDR; they're not, and you should let it run so that the 1Password installer finished properly on reboot.

I just installed the latest version of 1Password for Windows (v1.0.9.333) and SpyBot's TeaTimer told me that the following registry entry was attempted:

Category: System Startup global entry
Change: Value added 
Entry: InnoSetupRegFile.0000000001
New Data: "C:\Windows\is-2KIFU.exe" /REG /REGSVRMODE


This immediately set off warning bells - what was this weirdly named exe and why was it trying to get itself to run at startup? Sounds like malware, doesn't it? Now the mitigating factor was that this warning popped up immediately after my install of 1Password completed, so I figured either it was legit or my download was infected. I wandered over to the C:\Windows directory and found not only that is-2KIFU.exe but also another one called is-F4KHF.exe from Jun 30 2013. The .exe files had the 1Password icons, but looking at file Properties showed no identifying info (no Agilebits, no 1Password, etc.). I also scanned it using the Sysinternals tool sigcheck. It also came up empty.

So far, not great. Not horrible, but not great. Scanning them (with AVG) thankfully came up empty.

The sigh of relief came when I saw that those executables also have 2 sibling files: same prefix, but with the extensions .lst and .msg. The .lst file contained this:

; This file was created by the installer for:
;   1Password
;   Location: D:\Documents and Settings\user\My Documents\Downloads\1Password-

; List of files to be registered on the next reboot. DO NOT EDIT!


Now I know what it's for, and I can click Allow in TeaTimer.

However, I'm disappointed in a few things:

  1. The installed sticks files in C:\Windows for installation purposes and doesn't clean them up

  2. The installer _doesn't tell you _that it needs to do this.

  3. Those files aren't well-documented. At a minimum, they should note the publisher (AgileBits) and the date.


This discussion has been closed.