none
Major Group Policy Flaw(Command Prompt,Regedit,Task Manager.

    General discussion

  • You can access Command Prompt,reg-edit, and task manager on a computer where its disabled with no admin rights. You can do this by copying the files for Cmd,regedit, and task manager, to a writable location. Then you can edit them with a binary editor to run regardless of the policies set up. . The reason this works is because when Microsoft was coding Windows, , they decided they'd rather have it be more open than closed. When the command line starts, it checks a value in the registry to see if it can run. When you do this your changing the registry location it looks in. Therefore it doesn't find the restriction in the registry. As a result, it allows execution. Once you've changed this one binary value, it will work on any school, work, or home computer that has it disabled. Also on 64 bit versions of windows 7 and 8 you also need to copy the En-US folder from System32 and paste it in the folder with the binary edited CMD file. This is so it can load all the commands properly. I am not responsible for what you do. Have fun. The unicode strings are CMD- disablecmd, Regedit- disableregistrytools. You can also use this method to access a disabled task manager. 
    Note: When doing this put the files into a place you can write to like a flash drive or the desktop, or else you won't be able to make the edits. You can do this all on a standard account. You don't need to be a Administrator. 

    Video link that demonstrates flaw

    https://www.youtube.com/watch?v=-roMOpPiSqU

    Tuesday, March 8, 2016 8:27 PM

All replies

  • > you can edit them with a binary editor to run regardless of the policies
    > set up.
     
    This is not a flaw... Disabling cmd.exe does not "disable" cmd.exe but
    tells cmd.exe to "be disabled."
     
    If you want to be on the safe side, you need to tell windows "do not
    allow cmd.exe" - this means implementing either SRP or AppLocker. No big
    job about that :)
     
    In addition, the easiest way of this is using Applocker and allow only
    signed executables - your editing action will break the signature.
     
    Wednesday, March 9, 2016 11:36 AM