Menu
Compute Engines

JSI Tip 1086. Prevent ordinary users from replacing a system DLL.

Windows NT keeps core system DLLs in virtual memory.

A user can load their own DLL into memory, using the same name as a system DLL, and change the entry point in the KnownDLLs list to point to their copy. When the DLL is invoked by a priviledged process, it can grant the user Admin rights.

To prevent this from occuring, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Add Value name ProtectionMode as a type REG_DWORD and set the data value to 1. This enables stronger protection on base system objects, such as KnownDLLs. The default is 0.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Related
Network servers in data center
eBay Shares Server Designs as It Rebuilds IT Infrastructure
Sep 15, 2018
Broadcom Launches Open NFV Platform and Multiple SoCs
Feb 21, 2014
Simultaneously Promoting More than One Computer to a DC
Feb 13, 2013
Selling Sales Force Automation
Feb 13, 2013