Didier Stevens

Wednesday 28 November 2007

Quickpost: DisableAMD & DisableRegistryFools

Filed under: Quickpost — Didier Stevens @ 9:25

Ever started cmd.exe to see this: “The command prompt has been disabled by your administrator”?

It means that a GPO has been set to disable cmd.exe. This is not the same as the Software Restriction Policies. There is a special policy for cmd (and another one for regedit).

When started, cmd.exe checks for the existence of a certain key in the registry and decides to continue execution based on the value of this key. This key is DisableCMD and sits in Software\Policies\Microsoft\Windows\System. For regedit.exe, the key is DisableRegistryTools in Software\Microsoft\Windows\CurrentVersion\Policies\System.

There are many hacks to bypass this technique, depending on what kind of control you have as a user. When you have only control over the content of the programs you execute, use this trick: edit a copy of cmd.exe with a binary editor, search for DisableCMD and change it to something else, like DisableAMD. This copy of cmd.exe will now look for a key that doesn’t exist, and thus continue execution. For regedit, I renamed the key to DisableRegistryFools.

Mark Russinovich has another, elegant hack for this: he starts the program and injects a DLL that intercepts calls to the registry API and filters the return values. Limited users can inject DLLs into their own processes. But since Microsoft bought Sysinternals, his tool (GPdisable) is not available anymore.


Quickpost info


7 Comments »

  1. I read this post to find out if I was missing something about my AMD chip. Then I discoverd that the title DisableAMD & DisableRegistryFools was probably a typo!

    Comment by Charlene — Wednesday 28 November 2007 @ 18:53

  2. Sorry for the misunderstanding, but it is not a typo. This is how I renamed the registry keys, as a play on words.

    Comment by Didier Stevens — Wednesday 28 November 2007 @ 21:26

  3. [...] Filed under: Hacking, My Software, Reverse Engineering — Didier Stevens @ 0:43 Remember my DisableAMD post? In stead of patching the EXE file, you can also use my Basic Process Manipulation Tool Kit to [...]

    Pingback by bpmtk: DisableAMD « Didier Stevens — Wednesday 12 March 2008 @ 0:43

  4. $ strings cmd.exe | grep “DisableCMD”

    Returns nothing. What am I missing?

    Comment by Josh — Thursday 20 March 2008 @ 15:09

  5. Oh, here it is…

    $ xxd cmd.exe| grep “D.i.s.a” -n2

    7030:001b750: 0909 0907 0908 9090 4400 6900 7300 6100 ……..D.i.s.a.
    7031-001b760: 6200 6c00 6500 4300 4d00 4400 0000 9090 b.l.e.C.M.D…..

    Comment by Josh — Friday 21 March 2008 @ 5:37

  6. Hi didier and thx for the great post,
    Could you tell me a step by step process of how to look for the disablecmd string?

    Comment by bob — Friday 16 July 2010 @ 20:57

  7. @bob Mark Russinovich explained this on his blog.

    Comment by Didier Stevens — Saturday 17 July 2010 @ 10:45


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 231 other followers

%d bloggers like this: