Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Relative Registry Paths May Allow Trojans to Run
According to the discoverer,Windows uses a specific search order for executables that are defined in the Registry.
ITPro Today
July 27, 2000
1 Min Read
VERSIONS AFFECTED
Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
DESCRIPTION
According to the discoverer,Windows uses a specific search order for executables that are defined in the Registry. Ifthose definition use relative path names instead of absolute path names then it ispossible to cause a Trojan to run instead of the legimate execuatable. The search orderused is as follows:
The directory where the calling application loaded from
The current directory of the parent process
The 32-bit Windows system directory: System32
The 16-bit Windows system directory: System
The Windows directory: %SYSTEMROOT%
The directories listed in the PATH environment variable
DEMONSTRATION
During the system bootsequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimateversion, normally located in the %SYSTEMROOT% directory.
VENDOR RESPONSE
Microsoft released a FAQ,Support Online article Q269049, as well as patches for Windows2000 and NT 4.0.
CREDIT
Discovered by Alberto Argones
About the Author(s)
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
_(1).png?width=700&auto=webp&quality=80&disable=upscale)
.png?width=700&auto=webp&quality=80&disable=upscale)