Author Topic: Image File Execution Options  (Read 3577 times)

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Image File Execution Options
« on: 5 April 2005, 05:44 »
Background:
For those of you who didn't know, there's a special registry key for Windows NT based systems. The path of this key is "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Image File Execution Options". This key is particularly useful if you get a trojan on your system that refuses to shut down (you can tell windows to run another EXE in place of the EXE attempting to run here). This way, even viruses that check permissions and set them if you try and revoke read/write/execute from the trojan/malware/whatever. To do this, you simply create a subkey with the exe's name, add a string value named "Debugger", and set the value of this key to another EXE. But of course, there's a DARK SIDE TO THIS, THAT CAN MAKE YOUR LIFE A LIVING HELL. I was playing around, and decided to add WINLOGON.EXE to this list, and have it run CMD.EXE instead... and so the fun begins. Windows doesn't boot. Once it gets past the loading screen, it stays on a black screen for a few seconds, and reboots. ALAS! Recovery console to the rescue... OH WAIT, Recovery console won't let me edit the registry (it doesn't do much of anything besides suck)... Ok, so i decided to try and be clever and rename winlogon.exe to cmd.exe since that's what was trying to run. It worked, or so I thought, I tried to login at the logon screen, and it just kept bringing me back to it. So... I connected to the system from another XP box, and tried remote registry editing, which appeared to work. In reality, it seems to have just corrupted the registry. The Windows XP installation is screwed and I have no clue how to repair it. Hope I can find that site that tells you how to backup your product activation files, or else I might have a problem (not the first time i've had to pull out that bastard CD). I really hope MS puts a tighter lid on the registry with Longhorn, to prevent users from doing dumb things because they were bored -_-.

Actual Problem:
Microsoft Windows allows non-administrators to screw up their system (that's nothing new, I haven't been living in a hole, leave me alone...). Even a 13 year old kid at school could write a macro to exploit this and cause the system administrator a nasty headache. Even if you know what the problem is, it's not one you can just "fix". It's really quite sad that the system can be unbootable so easily (note: I'm aware of the NTLDR thing, but that's obvious, and easily fixable, this isn't).

All someone would have to do is write some code to add a key and value to the registry, then retrieve the SE_SHUTDOWN_PRIVILEGE via RtlAdjustPriviledge and make a call to NtShutdownSystem (Undocumented, NTDLL.DLL) with the POWEROFF constant.

Consider yourself warned :\. I know this sort of my fault, but still, this should not have been allowed to happen. Windows goes to GREAT deal to try and prevent me from doing things sometimes, but it had no problem with me shooting myself in the foot this time.
« Last Edit: 5 April 2005, 06:07 by anphanax »

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Re: Image File Execution Options
« Reply #1 on: 5 April 2005, 05:50 »
And for those of you who are going to make a ... "what a perfect time to install Linux" comment, this isn't my computer that I did this to. It was my brothers. I didn't expect this to happen.

My brother uses Firefox, but probably wouldn't be comfortable under Linux. If you guys can convince me Linux has enough "killer apps", and that it has a polished office suite with decent compatibility for MS Office, i might consider it.

Problem these days, is that instructors *DEMAND* the students use Microsoft Office (down to the exact edition\version). No Wordpad, No Corel Wordpefect, No OpenOffice.org, No AbiWord...

EDIT: And even if it was my computer, I still couldn't switch it to Linux. I host two servers written for Microsoft Windows. They are game servers, and in their current state, are NOT portable.

muzzy

  • Member
  • **
  • Posts: 391
  • Kudos: 409
    • http://muzzy.net/
Re: Image File Execution Options
« Reply #2 on: 5 April 2005, 08:05 »
And what system administrator allows all users to have full access to registry?

On my windows 2003 box, HKLM was read-only BY DEFAULT. Only administrators group and SYSTEM user had full control to it. This is just a configuration issue, and it's already fixed in future versions. Can't remember defaults for older systems, but they're configurable and proper sysadmin would've touched them.

What comes to undocumented calls, I do wish those were documented, but it doesn't change the fact that you still need privileges to enable further privileges.

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Re: Image File Execution Options
« Reply #3 on: 5 April 2005, 18:22 »
It was the default configuration on the box. HKLM wasn't read-only (they're a member of Users, not Power Users or Administrators). This is XP Pro, not Windows 2K3. Probably not setup to be as secure as a W2K3 install is by default... (from now i'm on, i'm checking that stuff though, thanks for bringing that up)

Oh, BY THE WAY, I CAN'T RE-INSTALL XP. The CD wont get passed loading the setup on the blue screen. I think it's because the NTFS file system on the HDD might have some errors. That's right... Problems on disk? Good luck installing XP without a wipe. This particular person has a TON of MP3s and would kill me if I wiped their system, so... guess i'm screwed.

And the reason i've come to the HDD conclusion is because I had that problem last time I was installing XP on the machine (it had the Windows ME FAT on it before I upgraded it, and apparently it had problems, as when I ran the check disk utility on a MS-DOS boot disk for that drive, XP setup then magically worked).

EDIT: Don't tell me to use crap from recovery console. REMEMBER, THE CD WON'T GET THAT FAR...

EDIT 2: Yes, I know you can setup recovery console to run locally. I didn't do that though, it wasn't my system. Secondly, it might not work that well if the filesystem has a problem :\.
« Last Edit: 5 April 2005, 19:28 by anphanax »

muzzy

  • Member
  • **
  • Posts: 391
  • Kudos: 409
    • http://muzzy.net/
Re: Image File Execution Options
« Reply #4 on: 5 April 2005, 20:11 »
Yea, I recall XP's default configuration was still totally braindead although I don't remember any specifics on the ACLs. W2k3 had a lot more sane defaults, and didn't require quite as much work to configure properly. I've only configured one XP box in my whole life and the experience was so painful I'd rather forget it already.

Anyway, about the foofoo hdd, some choices to think about:
1) Try linux with the captive ntfs.sys hack.
2) Try putting the hdd into another box which has XP installed and working, mount it there and try to recover files.
3) Use the linux read-only ntfs implementation. It's known to suck for writing, but perhaps you can backup some data.

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Re: Image File Execution Options
« Reply #5 on: 5 April 2005, 20:22 »
Quote from: anphanax
And for those of you who are going to make a ... "what a perfect time to install Linux" comment, this isn't my computer that I did this to. It was my brothers. I didn't expect this to happen.

My brother uses Firefox, but probably wouldn't be comfortable under Linux. If you guys can convince me Linux has enough "killer apps", and that it has a polished office suite with decent compatibility for MS Office, i might consider it.

Problem these days, is that instructors *DEMAND* the students use Microsoft Office (down to the exact edition\version). No Wordpad, No Corel Wordpefect, No OpenOffice.org, No AbiWord...

EDIT: And even if it was my computer, I still couldn't switch it to Linux. I host two servers written for Microsoft Windows. They are game servers, and in their current state, are NOT portable.

what a great time for your brother to install linux, or for you to install it on your brother's computer.  (remembering that none of us are getting paid to "convince" you of anything, so why not have a go at convincing yourself?)

and what a great time for you to learn how to code your game servers natively from scratch under linux! :-D
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

muzzy

  • Member
  • **
  • Posts: 391
  • Kudos: 409
    • http://muzzy.net/
Re: Image File Execution Options
« Reply #6 on: 5 April 2005, 22:19 »
Instructors demand microsoft office? Are they also providing you the software licenses? If not, demand that you're allowed to return papers as PDF. How the heck can the instructors demand you to give money to some specific company? That's sick, and should be made illegal if it isn't already. "As a part of this course, you have to pay $100 extra fee to Muzzy Software Fund. No, you won't get any value for the money, you just have to do it. Pay or fail the class, Suckers!"

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Re: Image File Execution Options
« Reply #7 on: 6 April 2005, 00:18 »
They're not my servers. I'm hosting them for someone else. They're written in Visual Basic 6.0.

As for the "me convincing myself" thing, that's not going to happen. Even with crap like this, i've simply gotten too used to Windows and spent too much time learning to code for it. Time investment is important to people. I have nothing against Linux, and know that it can be used in many places where using Windows wouldn't be a good idea, but for the desktop, it's still a hard sell and will remain so, at least for me. Hell, i'm not even convinced anymore that open source is all that great (I will probably be flamed to death on this). Open source programs crash for no apparent reason, just like closed sourced ones do (xchat, firefox, and openoffice.org are examples of this). I HATE program crashes. I know there's a bigger picture involved here, but still. If FOSS developers are so "talented" and "smart" and "innovative" and "perfect", this shouldn't happen in the first place. I've seen lots of arrogant people bash others for their coding mistakes, then watch them get flooded with bug reports, so... The people with the "FOSS programmers are better an all other programmers" attitude can go to hell. The Open Source model works best when you have the most people looking at projects (more people = more good programmers), so I would think you would WANT to try and convince people to move over to open source.

Note: Telling me to look at the code and try and fix these "no apparent reason" crashes is stupid. Do I look like a linux programmer? Didn't think so... I don't have as much free time as I used to either, nor do I want to spend it learning a platform that I don't use very often because I have one that already works ok. Plus, my linux system doesn't have a keyboard, mouse, or monitor, so... not a big fan of using it at the moment.

Sorry if I seem angry, but this is very stressful. I've never really run into a Windows problem before where I wasn't sure how to fix it.
« Last Edit: 6 April 2005, 01:03 by anphanax »

muzzy

  • Member
  • **
  • Posts: 391
  • Kudos: 409
    • http://muzzy.net/
Re: Image File Execution Options
« Reply #8 on: 6 April 2005, 03:07 »
"no apparent reason" crashes can indeed be complex issues, and more often that people realize, it's because of hardware issues. Some people just keep experiencing strange crashes, and instead of testing their system they blame it on all the different software. Faulty memory can do the most mysterious things and might go undetected for months at a time until something strange happens. Faulty PSU can cause mystery freezes, sometimes even repeatable ones. Faulty/overclocked CPU too, it might work just great for hours and hours straight of intense calculation, and then just do something wrong. A lot of people think that faulty hardware would result into the system not booting at all, or not seeming to work at all... not quite true!

Also, open source isn't about software quality. Regarding that, a lot of OSS apps suck as you noted. The important difference is freedom, and that's an ideological difference. I'd like them software freedoms, but nothing's going to happen by just using OSS at current rate. Software patents are coming to ruin everyone's day, and a lot of OSS apps are becoming illegal. IMO, the development model of open source software only reflects the freedom of the software, which might or might not lead to quality stuff.

Orethrius

  • Member
  • **
  • Posts: 1,783
  • Kudos: 982
Re: Image File Execution Options
« Reply #9 on: 6 April 2005, 08:20 »
Quote from: muzzy
Also, open source isn't about software quality. Regarding that, a lot of OSS apps suck as you noted.

Maybe you'd like to tell Sean Egan that one.  Or, for that matter, see how well you can sell that line to Sourceforge.

Quote
The important difference is freedom, and that's an ideological difference.

True - free software is free software is free software.  Don't be so quick to write it off.  ;)

Quote
I'd like them software freedoms, but nothing's going to happen by just using OSS at current rate.

Hear that, folks?  Muzzy says we need to up FOSS usage by getting decent developers involved!  Yay Muzzy!  :D

Quote
Software patents are coming to ruin everyone's day, and a lot of OSS apps are becoming illegal.

Yes, and God knows people don't download MP3s, either.  I'll continue to use FOSS in absentia of a lawful government, and if you don't care to do the same you know where to stick that EULA.  :p

Quote
IMO, the development model of open source software only reflects the freedom of the software, which might or might not lead to quality stuff.

This is - unfortunately - true.  Fortunately, FOSS has coders that can distinguish crap and code it out.  Windows?  Yeah, it has people that can attempt to recreate the code.  Too bad current disassemblers are such amazing horseshit.  :p

Proudly posted from a Gentoo Linux system.

Quote from: Calum
even if you're renting you've got more rights than if you're using windows.

System Vitals

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Re: Image File Execution Options
« Reply #10 on: 6 April 2005, 08:22 »
I was a bit out of line in my previous post. I thought I saw the big picture, but was forgetting about the "freedom" thing. It's easy to forget seemlingly obvious stuff when you're stressed out over something else.

In this case, I don't think this is a hardware issue. If it is, it would be one hell of a coincidence. I'm planning on hooking up the harddrive from that computer to this one (it's an IDE one, so I should have no problem), copying all their stuff, then deleting some files (The SYSTEM registry hive in particular, since a corrupted hive has caused setup hangs for other people. I'm pretty sure this is because the SYSTEM hive happens to contain information needed by the recovery console). I wish Microsoft would have designed it where it didn't need to read any registry keys... it could have just been an NTFS shell, but no... :P (if people really want system security, they should encrypt their files)

This is unrelated to the topic, but why is it that there aren't *FREE* NTFS read/write utilities and drivers out there. That would make things a hell of a lot easier.

Thanks for not flaming me to death :)

Orethrius

  • Member
  • **
  • Posts: 1,783
  • Kudos: 982
Re: Image File Execution Options
« Reply #11 on: 6 April 2005, 08:27 »
Quote from: anphanax
This is unrelated to the topic, but why is it that there aren't *FREE* NTFS read/write utilities and drivers out there. That would make things a hell of a lot easier.

You mean, outside of Captive?  ...what, you thought Microsoft would allow someone else to design an NTFS driver for their OS?  I need to tell my lawyer that one.  He'd die.  :D

Proudly posted from a Gentoo Linux system.

Quote from: Calum
even if you're renting you've got more rights than if you're using windows.

System Vitals

anphanax

  • Member
  • **
  • Posts: 197
  • Kudos: 11
    • http://june.tripod.com
Re: Image File Execution Options
« Reply #12 on: 6 April 2005, 08:34 »
ReactOS!
I completly forgot about that project. It even has a LIVE CD. Thanks for mentioning that. Maybe I wont have to screw with hardware afterall.

Quote
you thought Microsoft would allow someone else to design an NTFS driver for their OS?

If they can sue you for that, that's ridiculous. You should be able to design an alternative implentation to do something without having to worry about being sued. Writing an alternative implementation of an idea isn't stealing an idea, it's implementing it.

e.g. Drug company A makes drug to cure disease 'x'. Another company B makes a drug that uses different ingredients, but also cures disease 'x'. Drug company A should not be pulling out their lawyers on drug company B.

Blocking people from implementing an idea a different way stifles innovation.
« Last Edit: 6 April 2005, 08:44 by anphanax »

KernelPanic

  • VIP
  • Member
  • ***
  • Posts: 1,878
  • Kudos: 222
Re: Image File Execution Options
« Reply #13 on: 6 April 2005, 16:55 »
Quote from: muzzy
Software patents are coming to ruin everyone's day, and a lot of OSS apps are becoming illegal. IMO, the development model of open source software only reflects the freedom of the software, which might or might not lead to quality stuff.


This doesn't have to be, at least not in Europe!
Didn't you hear that if the Parliament votes against the bill, the commision will not pursue it further?

Get lobbying now ;)
« Last Edit: 6 April 2005, 17:14 by KernelPanic »
Contains scenes of mild peril.

muzzy

  • Member
  • **
  • Posts: 391
  • Kudos: 409
    • http://muzzy.net/
Re: Image File Execution Options
« Reply #14 on: 6 April 2005, 19:17 »
Quote from: KernelPanic
This doesn't have to be, at least not in Europe!
Didn't you hear that if the Parliament votes against the bill, the commision will not pursue it further?

Get lobbying now ;)


Yea, after the council presidency accepted the fscking thing without majority vote, breaking the council's rules in the process. The bill in EU has constantly been smuggled into "agriculture & fisheries" council sessions, to be decided by people who don't know anything about it, without discussion allowed. When the states required it be changed to discussion item, Luxembourg made up crap on the spot saying it wouldn't be possible for procedural reasons.

Basically, the EU Council Presidency conned the rest of the council, with a malicious intent. I'd like to believe this is just mere incompetence, but why would they repeatedly try to push the software patent issue to be decided by agriculture guys, and other crap like that? I'm suspecting some guys there have been bribed. We should do the same. Spread this url: http://mjr.iki.fi/texts/patentfund