detection icon

Short bio

Hijack.Shell is Malwarebytes’ generic detection name for hijackers that replace the Windows shell. By default the Windows shell is explorer.


Hijack.Shell alters the registry value(s)

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemShell orHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemShell

It does this to point to one of their own files, which will then be run automatically when the system starts running Windows.


Malwarebytes can detect and remove Hijack.Shell without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

When Hijack.Shell is detected on your computer, Malwarebytes for Windows does not know if it was authorized. Optimization software, malware, and potentially unwanted programs (PUPs) are known to make these types of changes, hence they are regarded as potentially unwanted.To have Malwarebytes for Windows ignore a Hijack, you must add the Hijack as an exclusion.

  1. When Hijack.Shell appears in the list of Scan results.
  2. Uncheck the entry or entries related to Hijack.Shell.
  3. Then click on Next.
  4. You will see a prompt giving you several options.
  5. Choosing Always ignorewill add Hijack.Shell to the Allow List.
  6. You can remove them there when you decide they should no longer be ignored.

When a Hijack is excluded, Malwarebytes for Windows does not detect the Hijack during scans or real-time protection.