There is a small difficulty, however. The check for the DisableCMD key is done when CMD.EXE is started, so to be successful, we have to start the program and change the DisableCMD string in memory before the check is made. Sounds impossible? Not really, the CreateProcess function allows you to create a new process with its main thread in a suspended state (this means that the program is not running). This gives you the opportunity to change the string in memory before it is used.
Use the start statement to start a new process in suspended state:
Change the string in memory:
search-and-write module:. unicode:DisableCMD unicode:DisableAMD
The main thread will be resumed after the last statement was executed (search-and-write in our example):
The cmd.exe window in the background was launched from the start menu (showing you that cmd.exe is disabled), while the cmd.exe window in the foreground was launched with the bpmtk (showing you the bypass of the GPO).
And did you notice that this screenshot is taken on a Windows 2008 server?
Next time, I’ll show some tricks to use the bpmtk in a restricted environment, like a Terminal Server.