UPDATE "sfc /scannow" and "DISM /Online /Cleanup-Image /RestoreHealth", Windows updates, and Windows Defender and probably other AV will repair/replace any fake utilman.exe, sethc.exe, osk.exe. UPDATE : Looks like Windows Defender may have closed this family of loopholes. ![]() I would be very interested to hear from any other users who have the same setup as yours, to try to determine what they have in common. Your installation of Windows 10 appears to be non-standard in some way. All of them have sethc.exe, Utilman.exe, and osk.exe in C:\Windows\system32. I've sampled five systems: two of which were fresh installs, and three of which were upgrades (one from Windows 8.1, two from Windows 7). ![]() And even if those executables were naively deleted to try to prevent using them for that purpose, simply creating executables with those names that point to cmd.exe would still work without additional effort (which could then be reversed, once the attacker has direct access to the filesystem (as usual). I don't think that this method of alternate access has been removed or altered in most versions of Windows 10.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |