Skip navigation
Menu
Compute Engines

JSI Tip 1086. Prevent ordinary users from replacing a system DLL.

Windows NT keeps core system DLLs in virtual memory.

A user can load their own DLL into memory, using the same name as a system DLL, and change the entry point in the KnownDLLs list to point to their copy. When the DLL is invoked by a priviledged process, it can grant the user Admin rights.

To prevent this from occuring, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Add Value name ProtectionMode as a type REG_DWORD and set the data value to 1. This enables stronger protection on base system objects, such as KnownDLLs. The default is 0.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
donate button keyboard for donating computers
Responsibly Recycling Computers in the Age of COVID-19
Jan 25, 2021
Abstract light bulb with IT trends and technologies
2021 Top Enterprise IT Trends Report
Dec 17, 2020
Community Concerns Prompt Red Hat to Drop CentOS for CentOS Stream
Community Concerns Prompt Red Hat to Drop CentOS for CentOS Stream
Dec 15, 2020
Signage is displayed at the entrance to the Github Inc. offices in San Francisco, California, U.S., on Monday, June 4, 2018. Microsoft Corp. is buying GitHub for $7.5 billion in stock, bringing in house a community of 28 million programmers who publish code openly and extending a shift away from a strategy of shrouding its software in secrecy. Photographer: Michael Short/Bloomberg
Amazon, Amex to Fund Software Developers in New GitHub Program
Dec 08, 2020