+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Disable explorer.exe from running for specific user - Windows XP in Technical; I have computers setup to be dumb clients, but have noticed a security flaw through the Help files in mstsc.exe. ...
  1. #1

    Join Date
    Nov 2010
    Location
    Liverpool, UK
    Posts
    178
    Thank Post
    10
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Disable explorer.exe from running for specific user - Windows XP

    I have computers setup to be dumb clients, but have noticed a security flaw through the Help files in mstsc.exe. (Can't disable them as they are within mstsc.exe). You can gain access to system features, including somewhere you can type C:\ and it will launch the C:\ drive, along with explorer.exe, which would give them limited access to the system.

    Explorer.exe has been replaced with mstsc.exe upon startup/logon, so it doesn't start...but this...'exploit'...can be made to override that. I don't want the users to be able to start explorer.exe at all. I've tried putting it in Group Policy as a software restriction, but that effected all accounts, including the built-in administrator account which we need to be uneffected.

    Is this possible?

  2. #2

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,710
    Thank Post
    3,246
    Thanked 1,048 Times in 970 Posts
    Rep Power
    364
    In the

    C:\windows\help

    Directory - there are hlp / chm files - if you rename this directory or remove it altogether on one computer and test - does it fail to launch the help file

    There is an mstsc.chm file

  3. #3

    Join Date
    Nov 2010
    Location
    Liverpool, UK
    Posts
    178
    Thank Post
    10
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    That worked great! Now the help is disabled. Still going through methods to break the system. Rather we broke it, than the students!

    Thanks.

  4. #4

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,710
    Thank Post
    3,246
    Thanked 1,048 Times in 970 Posts
    Rep Power
    364
    Is the help being disabled an issue ?

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    We have it set here using a registry hack - login as the user so a profile is created logout then login as an admin account. Load the Ntuser.dat from the user profile then change to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and change the Shell key to whichever program you would like rather then explorer

  6. #6

    Join Date
    Nov 2010
    Location
    Liverpool, UK
    Posts
    178
    Thank Post
    10
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by mac_shinobi View Post
    Is the help being disabled an issue ?
    Yes, because through the help, you can launch explorer.exe. This is a problem because it is only a dumb client, running only mstsc connecting to our terminal server. We only want them using mstsc connecting to the server, nothing else.

    Quote Originally Posted by glennda View Post
    We have it set here using a registry hack - login as the user so a profile is created logout then login as an admin account. Load the Ntuser.dat from the user profile then change to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and change the Shell key to whichever program you would like rather then explorer
    That's what we've done. Instead of running explorer.exe running, we have a vbscript running, which launches mstsc (preconfigured to connect to our server). The script loops every 5 seconds to see if mstsc is still alive. If it is, it waits another 5 seconds. If it isn't alive, it starts the process, then waits another 5 seconds. This is repeated until the machine is turned off.

    The local account used is locked down so the user cannot do anything. However, we noticed you could bypass this by going into Help from mstsc.exe. You could launch Internet Explorer, then from there launch a directory on the computer, which would launch explorer.exe (which wasn't already running). You could also get to this a couple of other ways, through the Help and through Windows Narrator.

  7. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,710
    Thank Post
    3,246
    Thanked 1,048 Times in 970 Posts
    Rep Power
    364
    Quote Originally Posted by CHiLL View Post
    Yes, because through the help, you can launch explorer.exe. This is a problem because it is only a dumb client, running only mstsc connecting to our terminal server. We only want them using mstsc connecting to the server, nothing else.


    That's what we've done. Instead of running explorer.exe running, we have a vbscript running, which launches mstsc (preconfigured to connect to our server). The script loops every 5 seconds to see if mstsc is still alive. If it is, it waits another 5 seconds. If it isn't alive, it starts the process, then waits another 5 seconds. This is repeated until the machine is turned off.

    The local account used is locked down so the user cannot do anything. However, we noticed you could bypass this by going into Help from mstsc.exe. You could launch Internet Explorer, then from there launch a directory on the computer, which would launch explorer.exe (which wasn't already running). You could also get to this a couple of other ways, through the Help and through Windows Narrator.
    How do you load the ntuser.dat from said users profile whilst logged in as the admin ?

    Also you said that it worked a treat when removing / renaming said directory because if they dont have the help files then they cant do the other bits through the help GUI

    so if they dont have access to said help files then how is that an issue unless they require access to the help files in the first place ?

  8. #8

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by mac_shinobi View Post
    How do you load the ntuser.dat from said users profile whilst logged in as the admin ?
    Open up regedit then select hkcu/hklm and the select file load hive - and navigate to the ntuser.dat file you can then make the changes

    The local account used is locked down so the user cannot do anything. However, we noticed you could bypass this by going into Help from mstsc.exe. You could launch Internet Explorer, then from there launch a directory on the computer, which would launch explorer.exe (which wasn't already running). You could also get to this a couple of other ways, through the Help and through Windows Narrator.
    can you not use the deny permission on explorer.exe for that user? then they shouldn't be able to run it.

  9. Thanks to glennda from:

    mac_shinobi (13th December 2010)

  10. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    double post my bad

  11. #10
    round2it's Avatar
    Join Date
    May 2009
    Location
    UK
    Posts
    991
    Thank Post
    193
    Thanked 143 Times in 101 Posts
    Rep Power
    36
    try double click all programs from the start menu

SHARE:
+ Post New Thread

Similar Threads

  1. explorer.EXE issue
    By garethedmondson in forum Windows 7
    Replies: 12
    Last Post: 8th March 2010, 04:44 PM
  2. Windows 7 fast user switching disable??
    By bewlay51 in forum Windows 7
    Replies: 1
    Last Post: 7th March 2010, 11:49 AM
  3. No Explorer.exe on Login
    By cgiuk in forum Windows
    Replies: 12
    Last Post: 20th November 2009, 09:03 PM
  4. explorer.exe crashing
    By Little-Miss in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 30th October 2009, 08:52 AM
  5. how to set proxy for explorer.exe
    By randomconept in forum General Chat
    Replies: 8
    Last Post: 22nd October 2007, 11:23 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •