Skip navigation
Menu
Compute Engines

JSI Tip 1086. Prevent ordinary users from replacing a system DLL.

Windows NT keeps core system DLLs in virtual memory.

A user can load their own DLL into memory, using the same name as a system DLL, and change the entry point in the KnownDLLs list to point to their copy. When the DLL is invoked by a priviledged process, it can grant the user Admin rights.

To prevent this from occuring, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Add Value name ProtectionMode as a type REG_DWORD and set the data value to 1. This enables stronger protection on base system objects, such as KnownDLLs. The default is 0.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
open source software developer code
The Rise of Nonstandard Open Source Licenses Sparks Debate
Nov 10, 2020
Woman with Digitized concept for Transformation
CIOs to Hit the Gas on Digital Business in 2021
Nov 06, 2020
RBC royal bank of canada logo on building
A Look at Royal Bank of Canada's Homegrown GPU Farm
Sep 10, 2020
quantum computing qubits
An Enterprise Guide to Quantum Computing
Jan 22, 2020