Restrict users from replacing a system DLL
3 February 2002 by Snakefoot | Comment » | Trackback OffTo avoid this one should update this DWORD registry entry:
There is a search order which is used when an application requests a DLL.[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager]
ProtectionMode=1 (Disabled = 0, Enabled = 1)
Note WinNT4 need to have SP5 installed before this registry entry works.
More Info MS KB Q218473
More Info MS KB Q222159
More Info MS KB Q244995
More Info MS KB Q253821
- Look in the application folder
- Look in the current working folder (Dangerous)
- Look in the system folder
- Search through the system PATH
Note when launching an application using Run... from the Start-menu, then it will also use the search order above to find the application executable. But it applies an extra step before searching through the system PATH, which is to look in the user home folder. Make it ignore the home-path by setting this DWORD registry key:[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Session Manager]
SafeDllSearchMode = 1 (Win2k/WinXP Default = 0, WinXP SP1/Win2k3 Default = 1)
Note Win2k need to have SP3 installed before this registry entry works.
More Info MS KB Q306850
Instead of ignoring the homepath, then one can configure it to first search the system path, and then look in the home-path:[HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer]
StartRunNoHOMEPATH = 1 (Default - 0)
More Info MS KB Q264061
Credits jsifaq.com cde[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager]
SafeProcessSearchMode = 1 (Default = 0)
More Info MS KB 905890
Tags:
Category:
Updated: 25 September 2007