exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify,AtiExtEvent,enabled,"","","c:\windows\system32\ati2evxx.dll"
...
AutoRuns will show you interesting registry locations that you can feed into
AccessChk looking for weak DACLs. Using built-in Windows tools for this automation
is a little kludgy and you??™ll likely recognize opportunities for efficiency improvement in
the following steps using the tools you normally use.
C:\tools>autorunsc.exe -c -d -e -i -l -p ??“s -w | findstr HKLM > hklmautoruns.
csv
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
425
PART IV
This command will build an easily parsable file of interesting HKLM registry locations.
This next step will build a batch script to check all the interesting keys in one fell
swoop. AccessChk ??“k accepts the registry key (regkey) as a parameter and returns the
DACL of that key.
C:\tools>for /F "tokens=1,2 delims=," %x in (hklm-autoruns.csv) do echo
accesschk -w -q -k -s "%x\%y" >> checkreg.bat
C:\tools>echo accesschk -w -q -k -s "HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\UIHost\logonui.exe" 1>>checkreg.bat
C:\tools>echo accesschk -w -q -k -s "HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\AtiExtEvent" 1>>checkreg.
Pages:
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754