Re: Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

I wrote ... and forgot some mitigations: [...] > Proof of concept (for Windows 2000 to Windows 10; use your own "sentinel" > instead of mine for Windows NT4): > > 1. get (this is a >32-bit executable [*]; the 64-bit exec

Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

Hi @ll, part 31 (see ) showed how to execute arbitrary (rogue) executables planted as %SystemRoot%\System32\RegEdit.exe, %SystemRoot%\System32\Explorer.exe etc. instead of %SystemRoot%\RegEdit.exe, %SystemRoot%\Explorer.exe etc., including a possible