Restrict users from replacing a system DLL

If a malicious user can interactively log on your computer. Then the user can load a DLL with the same name as a core operating system DLL and change the KnownDLLs list to point to this DLL. This will cause the operating system to perform the malicious DLL code in administrator mode, enabling the malicious user to get admin rights.

To avoid this one should update this DWORD registry entry:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager]
ProtectionMode=1 (Disabled = 0, Enabled = 1)

Note WinNT4 need to have SP5 installed before this registry entry works.

More Info MS KB218473
More Info MS KB222159
More Info MS KB244995
More Info MS KB253821

There is a search order which is used when an application requests a DLL.

  1. Look in the application folder
  2. Look in the current working folder (Dangerous)
  3. Look in the system folder
  4. Search through the system PATH

If a malicious user can inject a DLL in a folder, which an application will use as current working folder, and that application loads a system DLL. Then the application will load the injected DLL instead of the proper system DLL. It is possible to change the search order so it looks in the system-folder right after looking in the application folder:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Session Manager]
SafeDllSearchMode = 1 (Win2k/WinXP Default = 0, WinXP SP1/Win2k3 Default = 1)

Note Win2k need to have SP3 installed before this registry entry works.

More Info MS KB306850

Note when launching an application using Run… from the Start-menu, then it will also use the search order above to find the application executable. But it applies an extra step before searching through the system PATH, which is to look in the user home folder. Make it ignore the home-path by setting this DWORD registry key:

[HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Policies \Explorer]
StartRunNoHOMEPATH = 1 (Default - 0)

More Info MS KB264061

Instead of ignoring the homepath, then one can configure it to first search the system path, and then look in the home-path:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session Manager]
SafeProcessSearchMode = 1 (Default = 0)

More Info MS KB905890