So letâ€™s say you have a sense of humor and your co-worker fails to lock his or her computer (and they have a sense of humor too [very important]). Checking out the calendar you notice itâ€™s April first, BAM a perfect opportunity has just landed in your lap â€“ now what? First, donâ€™t do anything that will get you fired, because that isnâ€™t really all that funny. So what should we do to this poor sapâ€™s computer?
Typical gags are racy desktop background images, images of a sports team that would enrage the victim, or changing their Windows theme, Hot Dog was the typical choice here â€“ but those are old and worn. How about we take a look into the registry and see what we can jack with â€“ Specifically letâ€™s take a look at the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
This key contains child keys which control execution options for processes running on the local system. Each child key is named after the process such as â€œmyprocess.exeâ€. The most common control option used in Windows Vista/7 is the DisableExceptionChainValidation. So most of the child keys, which again represent a process on your machine, will have one or more values which controls the processâ€™s execution on the local machine. There are a good number of keys which can be used to control a processâ€™s execution but the one really interesting one to look at is named Debugger. This key is used by LSASS during the startup of a process to determine if the process should be started under a debugger. The typical use for this feature is to add this value under a key named after a process which you want to start under a debugger were the â€œDebuggerâ€ value is the path to the debugger you want to use, such as ntsd, cdb, or windbg. This key also opens up a couple of additional non-intended scenarios because there is no stipulation that you have to supply the path to a debugger in the â€œDebuggerâ€ value.
So lets try something: Under the previously mentioned key create a key named notepad.exe, add a value under that key named â€œDebuggerâ€ and supply the REG_SZ value â€œcalcâ€ (without the quotes).
With the changes in place jump to a command prompt or execute Start | Run and type in â€œnotepadâ€ â€“ if you made the settings correctly you will see that the calculator started!
So what is really happening is LSASS believes calc.exe is the debugger you want to run notepad.exe under. You can see this by running Process Explorer and checking out the calculator processâ€™s command line. As you can see calc.exe is passed a single command line option which is the path to notepad.exe. Since calc.exe does not really use command line parameters no foul is committed by passing one.
This little â€œtrickâ€ will not work if your faux-debugger is a process which takes in a command line option like for example mspaint.exe. So if you plan on using this in a future gag you may want to play around with a number of options on your own machine before letting loose on one of your co-workers or family members â€“ but do not forget to undo the changes on your computer because a reboot will not undo the changes. Oh and please resist the urge to include any of the registry editing tools in your plans because you do want to undo these changes at some point.
Another Alternative Use
So I mentioned there were two uses for this trick â€“ the second is to prevent a process from running on your system. So letâ€™s suppose you have system administrators whom like to run various processes on your system which collect information, install other monitoring software, does a hardware or software inventory, etc. These are typically pushed to your system via Active Directory policies and while you cannot prevent that from occurring on a domain joined machine you can block these processes from running. If you can get hold of the process name, such as inventory.exe then add a key by this name under the Image File Execution Options and set the Debugger value to some process which does not exist, I like â€œbogus.exeâ€. Once complete the target process will be executed on your machine with the command line â€œbogus.exe c:\somepath\inventory.exeâ€ and because the process bogus.exe does not exist on your system the process will not start and therefore neither will inventory.exe â€“ Administrator OUT!
While this too could be used as a gag I find it more interesting to pop up a different process than nothing at all.
Happy April 1st all â€“ Todd