Menu
Compute Engines

JSI Tip 1086. Prevent ordinary users from replacing a system DLL.

Windows NT keeps core system DLLs in virtual memory.

A user can load their own DLL into memory, using the same name as a system DLL, and change the entry point in the KnownDLLs list to point to their copy. When the DLL is invoked by a priviledged process, it can grant the user Admin rights.

To prevent this from occuring, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Add Value name ProtectionMode as a type REG_DWORD and set the data value to 1. This enables stronger protection on base system objects, such as KnownDLLs. The default is 0.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Related
Network servers in data center
eBay Shares Server Designs as It Rebuilds IT Infrastructure
Sep 15, 2018
intel sign
Intel CEO List Is Said to Eye Outsiders in Break With Tradition
Sep 04, 2018
Two Surface Tablets and Two Users
Microsoft MDM Hybrid Option Deprecated for Intune on Azure
Aug 17, 2018
This is an HP sign
HP Enterprise Tumbles on Earnings Outlook That Fails to Inspire
May 23, 2018