Hi, the installation of Microsofts much acclaimed "security tool" EMET 3.0 (see and ) creates the following VULNERABLE registry entry that runs a rogue program C:\PROGRA.EXE (as well as "C:\Program Files.exe" on x64) in the security context of the user logging on: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EMET Notifier"="C:\\Program Files\\EMET\\EMET_notifier.exe" ; x86 "EMET Notifier"="C:\\Program Files (x86)\\EMET\\EMET_notifier.exe" ; x64 JFTR: the vulnerability is caused by of one of Windows' documented (see [.] but tries to execute "C:\Progra.exe" "C:\Program Files\Common.exe" "C:\Program Files\Common Files\Microsoft.exe" "C:\Program Files\Common Files\Microsoft Shared\[.]" in turn to cover BEGINNERS ERRORS of incapable developers who are unable to handle "long" pathnames with embedded spaces properly. Whoever decided to implement this idiosyncrasy some 20 years ago was but incapable too and did not recognize the consequences of this idiosyncrasy^Widiotic behaviour! The same beginners error is (for example) present in all versions of "Microsoft Security Essentials" before 4.2 and was just recently fixed with : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft \ Security Client] "UninstallString"="C:\\Program Files\\Microsoft Security \ Client\\Setup.exe /X" Some of Microsoft's developers (and of course their QA) apparently dont know their companies own documentation; cf. : > The path you supply to Uninstall-String must be the complete > command line used to carry out your uninstall program. JFTR: "add/remove programs" of current versions of Windows (XP SP2 and newer) mitigates this error and inserts missing quotes after the first "" or "" and in front of the string. This kludge is but NOT documented! resp. alias fixed another unquoted pathname in Windows Defender on Windows 8, while alias fixed it in Windows Defender on Windows 7 and Window Server 2008 R2, where this beginners error allowed the execution of a rogue program C:\PROGRA.EXE in the security context of "LocalSystem". On a fully patched Windows 7 x64 take a look at: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-96973a50e9e0}\Shell\Open\Command] @=expand:"%ProgramFiles%\\Windows Sidebar\\sidebar.exe /showGadgets" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\command] @="C:\\Program Files\\Windows Sidebar\\sidebar.exe /showGadgets" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaServer:1\shell\Open \ Media Player\command] @=expand:"C:\\Program Files\\Windows Media Player\\wmplayer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command] @=expand:"%ProgramFiles%\\Windows Sidebar\\Sidebar.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command] @=expand:"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideShow\Gadgets\{591248b9-ad35-47c2-b2fa-2d7c120adc79}] "StartCommand"=expand:"%programFiles%\\Windows Media Player\\WMPSideShowGadget.exe" [HKEY_CURRENT_USER\Software\Microsoft\Keyboard\Native Media Players\WMP] "ExePath"="C:\\Program Files\\Windows Media Player\\wmplayer.exe" On a fully patched Windows XP take a look at: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\MPlayer2] "Player.Path"="C:\\Program Files\\Windows Media Player\\mplayer2.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer] "Player.Path"="C:\\Program Files\\Windows Media Player\\wmplayer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\open\command] @="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Open ""%L""" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\shell\play\command] @="C:\\Program Files\\Windows Media Player\\wmplayer.exe /Play ""%L""" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command] @="Rundll32.exe C:\\Program Files\\Common Files\\System\\OLE \ DB\\oledb32.dll,OpenDSLFile %1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSInfo.Document\Shell\Open\Command] @="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\MSInfo32.exe \ /msinfo_file %1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\x-internet-signup\Shell\Open\command] @=expand:"%ProgramFiles%\\Internet Explorer\\Connection Wizard\\ISIGNUP.EXE %1" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\IM\Windows Messenger\shell\open\command] @=expand:"%ProgramFiles%\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command] @="C:\\Program Files\\Windows Media Player\\wmplayer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{068B0700-718C-11d0-8B1A-00A0C91BC90E}\LocalServer32] @="C:\\Program Files\\Netmeeting\\conf.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}\LocalServer32] @="C:\\Program Files\\Netmeeting\\conf.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472FDD38-C8CE-4417-9138-C437B0445EBC}\LocalServer32] @="C:\\Program Files\\Movie Maker\\moviemk.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855B6281-563C-4462-8C6D-5326CA1D4FE4}\LocalServer32] @="C:\\Program Files\\MSN Gaming Zone\\Windows\\zclientm.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C3ADF99-CCFE-11d2-AD10-00C04F72DD47}\LocalServer32] @="C:\\Program Files\\Netmeeting\\conf.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1031BAF-3039-4dd6-BC5E-522F007DAF8B}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB1D8565-40E9-4616-984D-98465687E82C}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B69003B3-C55E-4b48-836C-BC5946FC3B28}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBFCB14-3B21-491c-9E2A-B0F3D50F83FD}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC20CB75-A981-460e-81D4-F06F61B59247}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF66AFC9-C61D-404a-B535-64FBF91D420F}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0B8F398-BB08-4298-87F0-34502693902E}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB7199AB-79BF-11d2-8D94-0000F875C541}\LocalServer32] @="C:\\Program Files\\Messenger\\msmsgs.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet \ Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}] "Exec"="%windir%\\Network \ Diagnostic\\xpnetdiag.exe" OUCH! "Long" pathnames containing spaces exist for about 20 years now in Windows, EVERY developer should know how to use them properly, and EVERY QA should check their proper use! JFTR: unfortunately not only Microsoft's developers are incapable; Mozilla Firefox and Thunderbird for example create the following registry entries: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla \ Firefox 22.0 (x86 en-US)] "UninstallString"="C:\\Program Files\\Mozilla \ Firefox\\uninstall\\helper.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla \ Thunderbird 17.0.8 (x86 en-US)] "UninstallString"="C:\\Program Files\\Mozilla \ Thunderbird\\uninstall\\helper.exe" Intel too can't afford developers past beginner level and a QA and makes "privilege escalation" really easy: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3] "ImagePath"=expand:"C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng] "ImagePath"=expand:"C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service] "ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine \ Components\\DAL\\jhi_service.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS] "ImagePath"=expand:"C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine \ Components\\LMS\\LMS.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS] "ImagePath"=expand:"C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc] "ImagePath"=expand:"C:\\Program Files\\Common \ Files\\Intel\\WirelessCommon\RegSrvc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}] "UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Management Engine \ Components\\Uninstall\\setup.exe -uninstall" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}] "UninstallString"="C:\\Program Files (x86)\\Intel\\Intel (R) Processor \ Graphics\\Uninstall\\setup.exe -uninstall" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}] "UninstallString"="C:\\Program Files (x86)\\Intel\\OpenCL \ SDK\\2.0\\Uninstall\\setup.exe -uninstall" stay tuned Stefan Kanthak PS: if you want to catch such beginners errors place a copy of as "%SystemDrive%\PROGRA.EXE" on your Windows system(s). If running on "WinSta0" SENTINEL.EXE displays a message box listing the pathname of the executed process, its command line and the working directory. If you want to get rid of the message box "Rogue program ..." displayed during login add the following registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain] "RogueProgramName"="Yes" But there are more directories like "%ProgramFiles%" alias "%SystemDrive%\Program Files"; start a command prompt and run the following commands to list them: For /D /R "%SystemRoot%" %X In ("* *") Do @Echo %X For /D /R "%ProgramFiles%" %X In ("* *") Do @Echo %X If Defined ProgramFiles(x86) For /D /R "%ProgramFiles(x86)%" %X In ("* *") Do \ @Echo %X In case that "%CommonProgramFiles%"/"%CommonProgramFiles(x86)%" are no subdirectories of %ProgramFiles%"/%ProgramFiles(x86)%" run the commands for these directories too. And: execution of command lines like %SystemRoot%\System32\REGSVR32.EXE %ProgramFiles%\...\[.DLL] %SystemRoot%\System32\RUNDLL32.EXE %ProgramFiles%\...\[.DLL], will run a rogue DLL %SystemDrive%\PROGRA.DLL. To catch the latter, place a copy of as "%SystemDrive%\PROGRA.DLL" on your Windows system(s). If running on "WinSta0" SENTINEL.DLL displays a message box listing the pathname of the executed DLL, the pathname of the calling process, its command line and the working directory. Test it with RUNDLL32.EXE SENTINEL.DLL,Entry For completeness sake: run the batch script (with administrative rights) to place SENTINEL.{EXE,DLL} as %SystemDrive%\PROGRA.{EXE,DLL}, "%ProgramFiles%\COMMON.{DLL,EXE}", "%ProgramFiles(x86)%\COMMON.{DLL,EXE}" and SENTINEL.EXE with the appropiate filename next to every directory with space(s) in its name. The latter is necessary to catch command lines like "C:\PROGRA~1\Common Files\...\[.]" or "C:\PROGRA~1\COMMON~1\Microsoft Shared\...\[.]" etc.