COMMAND
kernel
SYSTEMS AFFECTED
WinNT
PROBLEM
Following is compiled from postings to NTbugtraq June 28 - June 30
by Martin Wolf and Michael Benadiba. When a user logs into an NT
machine, there are a few processes that are started automatically,
including explorer.exe. These programs are normally in %winroot%
or %winroot%\system32. The problem is that NT will look for these
programs first in the user's home directory. If no user folder is
specified, it will look in the root of the system drive. Only if
the program it is looking for is not found in that location will
it look in the 'normal' location. This allows any user to rename
any executable and have it run at login, effectively bypassing
many policy restrictions. The list of currently known filenames
that will work is: explorer.exe, nddeagnt.exe, taskmgr.exe and
userinit.exe. To test this: Log in as a normal user. Copy
command.com to your home directory and rename it explorer.exe.
Log out and log back in. On a funny note, the original poster's
suggestion was renaming calc.exe as explorer.exe and reboote (in
case you find yourself in this situation, CTRL-ALT-DEL, Task
Manager, File, Run, %systemroot%\explorer.exe restores your
desktop).
SOLUTION
This is ultimately caused by the fact that in MS-DOS, Windows and
NT, "." has always implicitly been the first entry in the PATH.
And when NT starts up an executable, the current directory is
initially set to the user's home directory... This whole problem
stems from Microsoft entering relative names into the registry -
You'll be able to rectify the problem ( MS Definition -
undocumented feature?? ) by editing the registry and changing the
Shell key ie.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SHELL = "C:\winnt\explorer.exe"
Unfortunately Windows has a problem with the key value
"%systemroot%\explorer.exe".