All Things Microsoft > Microsoft Software
Image File Execution Options
anphanax:
Background:
For those of you who didn't know, there's a special registry key for Windows NT based systems. The path of this key is "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Image File Execution Options". This key is particularly useful if you get a trojan on your system that refuses to shut down (you can tell windows to run another EXE in place of the EXE attempting to run here). This way, even viruses that check permissions and set them if you try and revoke read/write/execute from the trojan/malware/whatever. To do this, you simply create a subkey with the exe's name, add a string value named "Debugger", and set the value of this key to another EXE. But of course, there's a DARK SIDE TO THIS, THAT CAN MAKE YOUR LIFE A LIVING HELL. I was playing around, and decided to add WINLOGON.EXE to this list, and have it run CMD.EXE instead... and so the fun begins. Windows doesn't boot. Once it gets past the loading screen, it stays on a black screen for a few seconds, and reboots. ALAS! Recovery console to the rescue... OH WAIT, Recovery console won't let me edit the registry (it doesn't do much of anything besides suck)... Ok, so i decided to try and be clever and rename winlogon.exe to cmd.exe since that's what was trying to run. It worked, or so I thought, I tried to login at the logon screen, and it just kept bringing me back to it. So... I connected to the system from another XP box, and tried remote registry editing, which appeared to work. In reality, it seems to have just corrupted the registry. The Windows XP installation is screwed and I have no clue how to repair it. Hope I can find that site that tells you how to backup your product activation files, or else I might have a problem (not the first time i've had to pull out that bastard CD). I really hope MS puts a tighter lid on the registry with Longhorn, to prevent users from doing dumb things because they were bored -_-.
Actual Problem:
Microsoft Windows allows non-administrators to screw up their system (that's nothing new, I haven't been living in a hole, leave me alone...). Even a 13 year old kid at school could write a macro to exploit this and cause the system administrator a nasty headache. Even if you know what the problem is, it's not one you can just "fix". It's really quite sad that the system can be unbootable so easily (note: I'm aware of the NTLDR thing, but that's obvious, and easily fixable, this isn't).
All someone would have to do is write some code to add a key and value to the registry, then retrieve the SE_SHUTDOWN_PRIVILEGE via RtlAdjustPriviledge and make a call to NtShutdownSystem (Undocumented, NTDLL.DLL) with the POWEROFF constant.
Consider yourself warned :\. I know this sort of my fault, but still, this should not have been allowed to happen. Windows goes to GREAT deal to try and prevent me from doing things sometimes, but it had no problem with me shooting myself in the foot this time.
anphanax:
And for those of you who are going to make a ... "what a perfect time to install Linux" comment, this isn't my computer that I did this to. It was my brothers. I didn't expect this to happen.
My brother uses Firefox, but probably wouldn't be comfortable under Linux. If you guys can convince me Linux has enough "killer apps", and that it has a polished office suite with decent compatibility for MS Office, i might consider it.
Problem these days, is that instructors *DEMAND* the students use Microsoft Office (down to the exact edition\version). No Wordpad, No Corel Wordpefect, No OpenOffice.org, No AbiWord...
EDIT: And even if it was my computer, I still couldn't switch it to Linux. I host two servers written for Microsoft Windows. They are game servers, and in their current state, are NOT portable.
muzzy:
And what system administrator allows all users to have full access to registry?
On my windows 2003 box, HKLM was read-only BY DEFAULT. Only administrators group and SYSTEM user had full control to it. This is just a configuration issue, and it's already fixed in future versions. Can't remember defaults for older systems, but they're configurable and proper sysadmin would've touched them.
What comes to undocumented calls, I do wish those were documented, but it doesn't change the fact that you still need privileges to enable further privileges.
anphanax:
It was the default configuration on the box. HKLM wasn't read-only (they're a member of Users, not Power Users or Administrators). This is XP Pro, not Windows 2K3. Probably not setup to be as secure as a W2K3 install is by default... (from now i'm on, i'm checking that stuff though, thanks for bringing that up)
Oh, BY THE WAY, I CAN'T RE-INSTALL XP. The CD wont get passed loading the setup on the blue screen. I think it's because the NTFS file system on the HDD might have some errors. That's right... Problems on disk? Good luck installing XP without a wipe. This particular person has a TON of MP3s and would kill me if I wiped their system, so... guess i'm screwed.
And the reason i've come to the HDD conclusion is because I had that problem last time I was installing XP on the machine (it had the Windows ME FAT on it before I upgraded it, and apparently it had problems, as when I ran the check disk utility on a MS-DOS boot disk for that drive, XP setup then magically worked).
EDIT: Don't tell me to use crap from recovery console. REMEMBER, THE CD WON'T GET THAT FAR...
EDIT 2: Yes, I know you can setup recovery console to run locally. I didn't do that though, it wasn't my system. Secondly, it might not work that well if the filesystem has a problem :\.
muzzy:
Yea, I recall XP's default configuration was still totally braindead although I don't remember any specifics on the ACLs. W2k3 had a lot more sane defaults, and didn't require quite as much work to configure properly. I've only configured one XP box in my whole life and the experience was so painful I'd rather forget it already.
Anyway, about the foofoo hdd, some choices to think about:
1) Try linux with the captive ntfs.sys hack.
2) Try putting the hdd into another box which has XP installed and working, mount it there and try to recover files.
3) Use the linux read-only ntfs implementation. It's known to suck for writing, but perhaps you can backup some data.
Navigation
[0] Message Index
[#] Next page
Go to full version