| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51EA0D70C24F4974A6CE8E29D6185DE7@H270> Date: Sat, 20 Dec 2025 20:44:01 +0100 From: Stefan Kanthak via Fulldisclosure <fulldisclosure@...lists.org> To: <fulldisclosure@...lists.org> Subject: [FD] Defense in depth -- the Microsoft way (part 94): SAFER (SRPv1 and AppLocker alias SRPv2) bypass for dummies Hi @ll, since 30 years Microsoft ships Windows with "Windows Script Host", an empty registry key and the following registry entries: [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "ActiveDebugging"="1" "DisplayLogo"="1" "SilentTerminate"="0" "UseWINSAFER"="1" The last registry entry (which is not writeable by unprivileged users) enables SAFER, i.e. both Software Restriction Policies and AppLocker, for the various script engines (JScript, VBScript, PerlScript, ...) run inside of Windows Script Host. Windows Script Host supports the following additional registry entries: "Enabled"=... "LogSecurityFailures"=... "LogSecuritySuccesses"=... "TimeOut"=... "IgnoreUserSettings"=... Except for the last one, which is evaluated only in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] registry key, (unprivileged) users can but overrule the (read-only) settings shown above by adding the same registry entries to their [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] registry key, i.e. UNLESS disabled via [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "IgnoreUserSettings"="1" they can enable a disabled Windows Script Host or disable SAFER for it via the following registry entries: [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings] "Enabled"="1" "UseWINSAFER"="0" stay tuned Stefan Kanthak PS: these registry entries can be either REG_SZ or REG_DWORD _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists