This blog post explains what FEATURE_BROWSER_EMULATION is and why browser hijackers seem to love it. It also points out that this does not mean it’s automatically a problem if you have one or more of them.
What is FEATURE_BROWSER_EMULATION?
FEATURE_BROWSER_EMULATION is a registry key that allows you to set a different default document mode for the web-browser control of any given application.The activation of this setting is done by adding a registry value—a name-data pair—to any of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ Main\FeatureControl\FEATURE_BROWSER_EMULATION HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ Main\FeatureControl\FEATURE_BROWSER_EMULATION HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ MAIN\FeatureControl\FEATURE_BROWSER_EMULATIONThe value-name, in this case, corresponds to the application that has the WebBrowser Control. The value-data tells it what Internet Explorer version standard to follow when displaying Web pages, following the !DOCTYPE directive.
For example, the added registry value below—
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ Main\FeatureControl\FEATURE_BROWSER_EMULATION "HomeBrew.exe" = dword:0x00002AF8—makes sure that the WebBrowser Control of HomeBrew.exe displays Web pages containing standards-based !DOCTYPE directives the same way that Internet Explorer 11 would. You can find the description belonging to this specific value-data at this MSDN page. As you may be able to tell from the screenshot above, there are many types of applications using this feature:
- prevhost.exe is Windows’ preview handler
- mbam.exe is our own Malwarebytes Anti-Malware
- CrExtPeh.exe is used by many Mindspark/Ask toolbars
Malwarebytes Anti-Malware does scan this key for known unwanted entries and removes them if they are there.
Summary
FEATURE_BROWSER_EMULATION is a setting that controls which Internet Explorer version certain browser controls should mimic. Although popular with browser hijackers and other adware, it is not a risk by itself.Resources:
Pieter Arntz
COMMENTS