Vulnerability and Exploit Detector

Me, myself & IT

Vulnerability and Exploit Detector

Purpose
Reason
Operation: SENTINEL.DLL; SENTINEL.EXE
Limitation
Background Information: Execution of bogus or rogue programs; Execution of bogus or rogue DLLs
Known Vulnerabilities
Known Weaknesses
Implementation and Build Details
Authenticity and Integrity
Download
Makefile and Build Instructions
Demonstration
Installation: Automatic online installation; Manual offline installation
Update
Deinstallation

Purpose

The Vulnerability and Exploit Detector for Microsoft^® Windows^™ NT consists of the independent executable files SENTINEL.DLL and SENTINEL.EXE.
They are used as canaries to indicate the execution of bogus or rogue applications and DLLs from unintended or unwanted locations, typically in order to detect and demonstrate programming errors which lead to weaknesses and vulnerabilities, or to catch and detect (malicious) code which exploits such weaknesses and vulnerabilities.
When placed in trusted locations of the search path, before untrusted locations like the CWD, they additionally act as sentinels and prevent the execution of bogus or rogue applications and DLLs.

Reason

Way too many Windows DLLs and programs, especially setup programs which typically have to be run with administrative privileges, suffer from ~~poor~~ insecure search path handling, resulting in well-known weaknesses like CWE-426: Untrusted Search Path, CWE-427: Uncontrolled Search Path Element and CWE-428: Unquoted Search Path or Element documented in the CWE^™, and allowing well-known attacks like CAPEC-471: Search Order Hijacking documented in the CAPEC^™.

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

IF DEFINED NoDefaultCurrentDirectoryInExePath SET NoDefaultCurrentDirectoryInExePath
ECHO ECHO %CD% 1>CWE-426.CMD && (
CALL CWE-426.CMD
ERASE CWE-426.CMD)

PATH
SET PATH
FOR %? IN ("%PATH:;=" "%") DO @(
ECHO ECHO %~? 1>"%~?\CWE-426.CMD" 2>NUL: && (
CALL "%~?\CWE-426.CMD"
ERASE "%~?\CWE-426.CMD"))

Operation

Both SENTINEL.DLL and SENTINEL.EXE write a message similar to that shown in the message boxes below to Windows’ Event Log, using the source Vulnerability and Exploit Detector.
To retrieve these messages from the Event Log, start the Command Processor and run the following command line:

"%SystemRoot%\System32\WBEM\WMIC.exe" NTEvent Where "SourceName='Vulnerability and Exploit Detector'" Get /Value

For a typical output of this command line see SENTINEL.TXT.

`SENTINEL.DLL`

SENTINEL.DLL is placed in the application directory and/or the CWD of programs which load DLLs during load-time and/or run-time, using the filename of one or more DLLs loaded by the respective program or any (other) DLL loaded by it.

Note: on systems with AMD64 alias x64 processor architecture, SENTINEL.DLL is ~~loaded~~ executed only if its execution environment matches that of the calling process!

Note: while searching for DLLs specified without absolute (fully qualified) pathname, Windows’ module loader maps PE32/PE32+ modules with matching filenames into memory, independent of their target execution environment; upon mismatch of the execution environments it discards and unloads the modules, then continues searching.

Note: the DllMain() DllMain() _DllMainCRTStartup() entry point of every DLL loaded during load-time of an application or DLL is called before the entry point of this (dependent) application or DLL!

When SENTINEL.DLL runs in an interactive logon session it displays one or more message boxes like that shown to the right:

The message box displayed during the initial call of SENTINEL.DLL, i.e. DLL_PROCESS_ATTACH, offers the choice to return success (via the OK button) or failure (via the Cancel button) to the calling process. The Win32 functions LoadLibrary() and LoadLibraryEx() yield error code 1114 alias ERROR_DLL_INIT_FAILED for failure, while Windows’ module loader yields the NTSTATUS 0xC0000142 alias STATUS_DLL_INIT_FAILED.
The message boxes displayed during following calls of SENTINEL.DLL, i.e. DLL_THREAD_ATTACH and DLL_THREAD_DETACH, offer the choice to disable subsequent calls for thread attach and detach via the Cancel button.
The message box displayed during the final call of SENTINEL.DLL, i.e. DLL_PROCESS_DETACH, shows only the OK button.

To test the proper function of SENTINEL.DLL, start the Command Processor and run (one of) the following command lines:

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

"%SystemRoot%\System32\MSIExec.exe" /Y "‹path›\SENTINEL.DLL"
"%SystemRoot%\System32\RegSvr32.exe" /I /N /S "‹path›\SENTINEL.DLL"
"%SystemRoot%\System32\RegSvr32.exe" /S "‹path›\SENTINEL.DLL"
"%SystemRoot%\System32\RegSvr32.exe" /S /U "‹path›\SENTINEL.DLL"
"%SystemRoot%\System32\RunDLL32.exe" "‹path›\SENTINEL.DLL",RunDLL

`SENTINEL.EXE`

SENTINEL.EXE is typically placed as PROGRAM and/or PROGRAM.EXE in the root directory of Windows’ system drive %SystemDrive%; if creation of short 8.3 filenames is enabled, SENTINEL.EXE can be copied as is and a short 8.3 filename PROGRAM or PROGRAM.EXE set:

"%SystemRoot%\System32\FSUtil.exe" File SetShortName "%SystemDrive%\SENTINEL.EXE" PROGRAM.EXE

To list other locations (i.e. directories with a space in their name) where SENTINEL.EXE may be placed, start the Command Processor and run the following command lines:

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

FOR /D /R "%SystemRoot%" %? IN ("* *") DO @ECHO %?
FOR /D /R "%ProgramFiles%" %? IN ("* *") DO @ECHO %?
IF DEFINED ProgramFiles(x86) IF NOT "%ProgramFiles(x86)%" == "%ProgramFiles%" FOR /D /R "%ProgramFiles(x86)%" %? IN ("* *") DO @ECHO %?
FOR /D /R "%USERPROFILE%" %? IN ("* *") DO @ECHO %?

[Screen shot of SENTINEL.EXE started on Windows XP by defective scanner software]

When SENTINEL.EXE runs in an interactive logon session it displays a message box like that shown to the right.

Note: SENTINEL.EXE can determine the calling process only if it still exists and it runs in the same (unprivileged) security context, on systems with AMD64 alias x64 processor architecture also in the same (32- or 64-bit) execution environment!

To test the proper function of SENTINEL.EXE, execute it per double-click from Windows Explorer or call it from the Command Processor.

Limitation

When SENTINEL.DLL is (renamed and) used as static (load-time) dependency of an arbitrary executable (a program or another DLL), loading of this executable usually fails due to unresolved external symbols or ordinals, and SENTINEL.DLL is not run: SENTINEL.DLL does not export the symbols and ordinals of the original DLL.

This limitation can be overcome by forwarding the missing exports to the original DLL using a .def file when linking SENTINEL.DLL:

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

LIBRARY ‹module›

EXPORTS
        ‹symbol›=[C:\Windows\]System32\‹filename›.‹symbol› @‹ordinal› PRIVATE
        …
        @‹ordinal›=[C:\Windows\]System32\‹filename›.#‹ordinal› @‹ordinal› NONAME PRIVATE
        …

Caveat: export forwarding is limited to target DLLs with extension .dll!

Note: original DLLs located in Windows’ system directory %SystemRoot%\System32\ can be referenced with their relative pathname System32\‹filename› since the windows directory %SystemRoot%\ is in the search path too:

[…] If a relative path is specified, the entire relative path is appended to every token in the DLL search path list.

[…] If lpFileName specifies a relative path, the entire relative path is appended to every token in the DLL search path.

Note: .def files can be created with a simple batch script (.cmd) from the output of the following command line:

LINK.EXE /DUMP /HEADERS ‹module›.dll

A complete set of 32-bit forwarder DLLs for all system DLLs of Windows XP and Windows 7 is available on request.

Background Information

Execution of bogus or rogue programs

The most ~~prominent~~ notorious, well-known and well-documented example is the unintended execution of
%SystemDrive%\Program.exe or (for example)
"%SystemDrive%\Program Files\Internet.exe" alias
"%ProgramFiles%\Internet.exe" instead of the intended execution of (again for example)
"%SystemDrive%\Program Files\Internet Explorer\IExplore.exe" alias
"%ProgramFiles%\Internet Explorer\IExplore.exe" due to missing quotes around the long filename or pathname of an executable file that contains spaces when used in a command line like
%SystemDrive%\Program Files\Internet Explorer\IExplore.exe -nohome alias
%ProgramFiles%\Internet Explorer\IExplore.exe -nohome.

The resulting weakness is listed as CWE-428: Unquoted Search Path or Element in the CWE^™.

This (unfortunately way too) common ~~programmer’s~~ beginner’s error is documented in the MSDN articles for the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW(), CreateProcessWithTokenW() and WinExec() under the heading Security Remarks, for the Win32 function CreateService(), and (for example) in the MSKB articles 134425, 139427, 140724 and 812486.

The (to say the very least) ~~weird~~ braindead behaviour of these Win32 functions which lets this beginner’s error go undetected (without a properly named sentinel placed aside all executable files with a space in their name and all directories with a space in their name which contain executable files) is documented in the MSDN articles referenced above under the heading Parameters and exists since the introduction of long filenames with Win32 in Windows NT 3.1 (and of course Windows 95 too) more than 25 years ago:

[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:

c:\program.exe files\sub dir\program name

c:\program files\sub.exe dir\program name

c:\program files\sub dir\program.exe name

c:\program files\sub dir\program name.exe

These Win32 functions play try & error where they should but fail and return an error to their caller!

Note: the following rules of interpretation are missing in the documentation:

all possibilities are tried without the extension .exe first (executable files don’t need to have an extension at all);
all possibilities where both a matching file with extension .exe and a matching directory without extension exist are discarded;
except for the last possibility matching directories are discarded.

To perform a quick (but non-exhaustive) check whether your Windows installation is affected, start the Command Processor, run the following command lines and inspect their output:

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

FTYPE | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles%"
FTYPE | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I "=%CommonProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I "=!USERPROFILE:\%USERNAME%=\!"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %ProgramFiles%"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %ProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %CommonProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " !USERPROFILE:\%USERNAME%=\!"
"%SystemRoot%\System32\WBEM\WMIC.exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.exe" /I "\Windows " | "%SystemRoot%\System32\Find.exe" /V "PathName="""
"%SystemRoot%\System32\WBEM\WMIC.exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles%"
"%SystemRoot%\System32\WBEM\WMIC.exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.exe" /I "=!USERPROFILE:\%USERNAME%=\!"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer Is Not NULL" Get LocalServer /Value | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles%"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer Is Not NULL" Get LocalServer /Value | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer Is Not NULL" Get LocalServer /Value | "%SystemRoot%\System32\Find.exe" /I "=%CommonProgramFiles"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer Is Not NULL" Get LocalServer /Value | "%SystemRoot%\System32\Find.exe" /I "=!USERPROFILE:\%USERNAME%=\!"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer32 Is Not NULL" Get LocalServer32 /Value | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles%"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer32 Is Not NULL" Get LocalServer32 /Value | "%SystemRoot%\System32\Find.exe" /I "=%ProgramFiles"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer32 Is Not NULL" Get LocalServer32 /Value | "%SystemRoot%\System32\Find.exe" /I "=%CommonProgramFiles"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "LocalServer32 Is Not NULL" Get LocalServer32 /Value | "%SystemRoot%\System32\Find.exe" /I "=!USERPROFILE:\%USERNAME%=\!"

Note: the command lines can be copied and pasted as block into a Command Processor window!

Use the batch script SLOPPY.CMD to perform all the checks listed here and below.
Download, read and run the batch scripts SLOPPY7X.CMD and SLOPPY7D.CMD to conduct a more thorough check.

If you detect an unquoted long filename or pathname containing spaces in a command line, direct the author(s) of the defective software (for example) to the MSKB articles 102739, 166827 and 170669, the MSDN articles Extending Shortcut Menus, Verbs and File Associations, Best Practices for File Associations, Registering Programs with Client Types and How to Register an Internet Browser or Email Client With the Windows Start Menu, plus the TechNet article Using Long File Names and request a fix for this well-known vulnerability!

If any element of the command string contains or might contain spaces, it must be enclosed in quotation marks. Otherwise, if the element contains a space, it will not parse correctly. For instance, "My Program.exe" starts the application properly. If you use My Program.exe without quotation marks, then the system attempts to launch My with Program.exe as its first first command line argument. You should always use quotation marks with arguments such as %1 that are expanded to strings by the Shell, because you cannot be certain that the string will not contain a space.

The command line must specify a fully qualified absolute path to the file, followed by optional command-line options. Use quotation marks appropriately to ensure that spaces in the command line are not misinterpreted.

lpBinaryPathName [in, optional]

The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:\\my share\\myservice.exe" should be specified as "\"d:\\my share\\myservice.exe\"".

To perform a quick (but non-exhaustive) check whether your Windows installation is affected by both aforementioned bugs, start the Command Processor, run the following command lines and inspect their output:

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

FTYPE | "%SystemRoot%\System32\Find.exe" /V "."
FTYPE | "%SystemRoot%\System32\Find.exe" /V "\"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %L"
FTYPE | "%SystemRoot%\System32\Find.exe" " %1"

Note: the command lines can be copied and pasted as block into a Command Processor window!

Use the batch script SLOPPY.CMD to perform all the checks listed here, above and below.
Download, read and run the batch scripts SLOPPY7X.CMD and SLOPPY7D.CMD to conduct a more thorough check.

If you detect a simple filename or a partial (relative) pathname instead of a full (absolute) pathname or an unquoted argument (anywhere, not only) in the command lines printed by FTYPE, direct the author(s) of the vulnerable software (for example) to the MSDN articles referenced above and request a fix for this well-known vulnerability!

Also ask the author(s) of the defective software why they don’t use Application Verifier to test their software!

Calls to the CreateProcess API function are subject to attack if parameters are not specified correctly. AppVerifier generates an error if CreateProcess (or other related API functions) are called with a NULL lpApplicationName parameter and an lpCommandLine parameter that contains spaces. For example, it does not allow the following as the command line parameter:
            c:\program files\sample.exe -t -g c:\program files\sample\test
        
Using this command line, an application can inadvertently execute unwanted code if a malicious user installs his program to C:\Program.

Execution of bogus or rogue DLLs

The other ~~prominent~~ infamous and well-known example, first reported on September 18, 2000 as Georgi Guninski security advisory #21, 2000 and listed as CVE-2000-0854 in the CVE^®, is the unintended execution of bogus or rogue DLLs (and programs) with the well-known filename of a system DLL (or a system program) from (usually) the CWD or the application directory instead of Windows’ system directory %SystemRoot%\System32\ due to insecure search path handling and the use of a simple filename or a relative (partial) pathname instead of an absolute (full) pathname, known as DLL spoofing alias DLL preloading, directory poisoning, binary planting, DLL hijacking and DLL side-loading.

The resulting weaknesses are listed as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE^™.

The posts MS09-014: Addressing the Safari Carpet Bomb vulnerability, More information about the DLL Preloading remote attack vector, An update on the DLL-preloading remote attack vector and Triaging a DLL planting vulnerability on Microsoft’s Security Research and Defense Blog give additional information.

For loading of DLLs the proper and secure search path handling is documented in the MSDN articles Dynamic-Link Library Security and Dynamic-Link Library Search Order, the Security Advisory 2269637, the MSKB articles 2389418 and 2533623, plus the post Load Library Safely:

Applications can control the location from which a DLL is loaded by specifying a full path or using another mechanism such as a manifest.

Wherever possible, specify a fully qualified path when using the LoadLibrary, LoadLibraryEx, CreateProcess, or ShellExecute functions.

Use fully qualified paths for all calls to LoadLibrary, CreateProcess, and ShellExecute where you can.

This exploit may occur when applications do not directly specify the fully qualified path to a library it intends to load.

Always specify the fully qualified path when the library location is constant.

Additionally see the MSDN articles Self-Registration as well as DefaultIcon, LocalServer and LocalServer32:

The server must register the full path to the installation location of the DLL or EXE module for their respective InprocServer32, InprocHandler32, and LocalServer32 keys in the registry.

This is a REG_SZ value that specifies the full path to the executable name […]

Specifies the full path to a 16-bit local server application.

Specifies the full path to a 32-bit local server application.
[…]
The ServerExecutable value, which is of type REG_SZ and is supported starting with Windows Server 2003, works in conjunction with the LocalServer32 subkey to prevent any ambiguity when using the CreateProcess function. LocalServer32 specifies the location of the COM server application to launch, and this information is passed as the first parameter lpApplicationName for CreateProcess. Depending on the implementation of CreateProcess, this information might be ambiguous. For this reason, if ServerExecutable is specified, COM passes the ServerExecutable named value to the lpApplicationName parameter of CreateProcess. If ServerExecutable is not specified, COM passes NULL as the value for the first parameter of CreateProcess.
To help provide system security, use quoted strings in the path to indicate where the executable filename ends and the arguments begin.

Note: the MSDN articles InprocHandler, InprocHandler32, InprocServer, InprocServer32 and ToolBoxBitmap32 fail to specify the use of full (absolute) pathnames and need to be corrected!

To perform a quick (but non-exhaustive) check whether your Windows installation is affected, start the Command Processor, run the following command lines and inspect their output:

REM Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

FTYPE | "%SystemRoot%\System32\Find.exe" /I " %ProgramFiles%"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %ProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " %CommonProgramFiles"
FTYPE | "%SystemRoot%\System32\Find.exe" /I " !USERPROFILE:\%USERNAME%=\!"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcHandler Is Not NULL" Get InProcHandler /Value | "%SystemRoot%\System32\Find.exe" /V "."
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcHandler Is Not NULL" Get InProcHandler /Value | "%SystemRoot%\System32\Find.exe" /V "\"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcHandler32 Is Not NULL" Get InProcHandler32 /Value | "%SystemRoot%\System32\Find.exe" /V "."
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcHandler32 Is Not NULL" Get InProcHandler32 /Value | "%SystemRoot%\System32\Find.exe" /V "\"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcServer Is Not NULL" Get InProcServer /Value | "%SystemRoot%\System32\Find.exe" /V "."
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcServer Is Not NULL" Get InProcServer /Value | "%SystemRoot%\System32\Find.exe" /V "\"
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcServer32 Is Not NULL" Get InProcServer32 /Value | "%SystemRoot%\System32\Find.exe" /V "."
"%SystemRoot%\System32\WBEM\WMIC.exe" PATH Win32_ClassicCOMClassSetting Where "InProcServer32 Is Not NULL" Get InProcServer32 /Value | "%SystemRoot%\System32\Find.exe" /V "\"

Note: the command lines can be copied and pasted as block into a Command Processor window!

Use the batch script SLOPPY.CMD to perform all the checks listed here and above.
Download, read and run the batch scripts SLOPPY7X.CMD and SLOPPY7D.CMD to conduct a more thorough check.

Again: if you detect a simple filename or a partial (relative) pathname instead of a full (absolute) pathname in a call of a Win32 function that loads an executable file, in a command line, in a shortcut (.lnk), in the Registry, in a DESKTOP.INI file etc. as well as an unquoted argument in a command line, direct the author(s) of the vulnerable software (for example) to the MSDN articles referenced above as well as Guidelines For Developers and request a fix for this well-known vulnerability!

Known Vulnerabilities

Some, but not all (now fixed) individual vulnerabilities due to insecure search path handling only in Microsoft products are documented in the MSKB articles 306850, 819125, 905890, 959426, 2264107, 2385678, 2423089, 2423930, 2424434, 2443105, 2447961, 2478935, 2482017, 2489293, 2494047 2500212, 2508062, 2510030, 2533623, 2560656, 2560847, 2570947, 2587634, 2603381, 2604926, 2618444, 2620704, 2623699, 2639142, 2643719, 2651018, 2651019, 2661637, 2686509, 2707956, 2707960, 2719662, 2745030, 2961037, 3063858, 3072620, 3072631, 3074162, 3080348, 3108347, 3108371, 3108381, 3108664, 3110329, 3116162, 3121461, 3121918, 3134228, 3140709, 3148531, 3148789, 3163610, 3199172, 3204068, 3205655 and 4013078, the Security Bulletins MS06-051, MS09-014, MS09-015, MS10-087, MS10-093, MS10-094, MS10-095, MS10-096, MS10-097, MS11-001, MS11-003, MS11-015, MS11-016. MS11-017, MS11-023, MS11-025, MS11-055, MS11-059, MS11-071, MS11-073, MS11-075, MS11-076, MS11-085, MS11-094, MS11-099, MS12-002, MS12-012, MS12-014, MS12-021, MS12-022, MS12-034, MS12-039, MS12-046, MS12-074, MS14-023, MS15-063, MS15-069, MS15-070, MS15-082, MS15-132, MS16-007, MS16-014, MS16-025, MS16-037, MS16-041, MS16-070, MS16-130, MS16-148, MS16-149 and MS17-012, plus the Security Advisories 953818, 2269637, 2719662 and 3074162.
At the time of writing the Security Advisory 2269637 lists 29 additional Security Bulletins!

The vulnerability fixed with 3121918 alias MS16-007 is listed as CVE-2016-0014 in the CVE^®: whenever an application used Win32 functions involving the Encrypting File System, FEClient.dll was loaded using its simple filename instead of its fully qualified (absolute) pathname %SystemRoot%\System32\FEClient.dll.
Please notice the entries for January 2016 on Acknowledgments – 2016.

A variant of this programming error is documented in the MSDN articles for the Win32 functions LoadLibrary() and LoadLibraryEx() under the heading Security Remarks.

For the execution of programs some, but not all (now fixed) individual vulnerabilities due to insecure search path handling only in Microsoft products are documented in the MSKB articles 264061, 269049, 303628, 327522, 2781197, 2823482 and 2847927, plus the Security Bulletins MS00-052, MS02-064, MS13-034 and MS13-058.

The MSKB article 249321 but proposes to replace an absolute (full) pathname with a simple filename which introduces this vulnerability!
Note: a Registry entry of type REG_EXPAND_SZ with value %SystemRoot%\System32\UserInit.exe avoids both errors!

For the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW() another (now fixed) individual vulnerability where the command processor was called using the simple filename CMD instead of its fully qualified (absolute) pathname %ComSpec% alias %SystemRoot%\System32\Cmd.exe is documented in the MSKB article 2922229 and the Security Bulletin MS14-019.
Please notice its Acknowledgements section, or see the entries for April on Acknowledgments – 2014.

The post MS14-019 – Fixing a binary hijacking via .cmd or .bat file on Microsoft’s Security Research and Defense Blog provides additional information.

This vulnerability is listed as CVE-2014-0315 in the CVE^®.

[Screen shot from german MSKB article 2647300: REGEDIT.EXE showing command lines with unquoted 'long' pathnames and a simple filename] Many setup scripts for device drivers of many vendors (including many WHQL certified device drivers available from Windows Update and the Microsoft Update Catalog) suffer from both beginner’s errors too!

See the screen shot on the right for some examples of command lines with unquoted long pathnames and a simple filename.

Please notice the entries for May 2014 and June 2015 on Security Researcher Acknowledgments Microsoft Online Services – Prior Months.

Programs that are run from the user’s Downloads directory %USERPROFILE%\Downloads\, the Temp directory %TMP%\ alias %USERPROFILE%\AppData\Local\Temp\ or %SystemRoot%\Temp\ respectively, as well as the user’s Desktop directory %USERPROFILE%\Desktop\, typically and especially (self-extracting or self-unpacking) installers, almost always load some DLLs from these directories (which are their application directory), and typically also execute their payload from there.

IExpress installers like CAPICOM-KB931906-v2102.exe, a security (sic!) update documented in the MSKB article 931906 and the Security Bulletin MS07-028, DotNETFX.exe and LangPack.exe for the .NET Framework versions 1.0, 1.1 and 2.0, and many more are well-known examples for arbitrary code execution vulnerabilities, and since Windows Vista^® due to UACs installer detection privilege escalation vulnerabilities too!

All executable installers built with: InnoSetup load and execute DWMAPI.dll or UXTheme.dll, …;; InstallShield load and execute RichEd32.dll, …;; NSIS before version 2.50 and 3.0b5 load and execute ShFolder.dll, DWMAPI.dll or UXTheme.dll, SetupAPI.dll, …;; WiX toolset before version 3.10.2 load and execute MSI.dll, Version.dll, …;; …

All self-extracting executable archives built with: 7-Zip load and execute DWMAPI.dll or UXTheme.dll, …;; WinRAR before version 5.31 load and execute DWMAPI.dll or UXTheme.dll, RichEd20.dll, RichEd32.dll, …;; …

Known Weaknesses

Each and every program not installed in Windows’ system directory %SystemRoot%\System32\ (see Raymond Chen’s TechNet magazine article Windows Confidential: History—the Long Way Through for some hindsight) that is statically linked against DLLs which are neither installed in the program’s application directory nor listed as known DLLs (see but Windows Confidential: The Known DLLs Balancing Act) or that (delay-)loads DLLs which are not installed in the program’s application directory without using their full (absolute) pathname is susceptible to DLL hijacking.

This attack is listed as CAPEC-471: Search Order Hijacking in the CAPEC^™.

Well-known examples of such programs are

%SystemRoot%\Explorer.exe:: loads and executes %SystemRoot%\ACLUI.dll instead of %SystemRoot%\System32\ACLUI.dll;
%SystemRoot%\RegEdit.exe:: as above;
%SystemRoot%\Write.exe;
%SystemRoot%\System32\DISM\DISMHost.exe:: loads and executes %SystemRoot%\System32\DISM\PEProvider.dll;
%SystemRoot%\System32\SysPrep\SysPrep.exe:: loads and executes %SystemRoot%\System32\SysPrep\CryptBase.dll instead of %SystemRoot%\System32\CryptBase.dll, …;
%SystemRoot%\System32\WBEM\WMIC.exe;
…

Programs like %SystemRoot%\System32\SysPrep\SysPrep.exe which silently gain full administrative privileges per UACs auto-elevation (mis)feature in protected administrator accounts and request administrative privileges in standard user accounts, or programs like %SystemRoot%\RegEdit.exe which request full administrative privileges in protected administrator accounts, execute these bogus or rogue DLLs with full administrative privileges too.

Note: since creating (or replacing) files in %SystemRoot%\System32\SysPrep\ or the windows directory %SystemRoot%\ needs administrative privileges, this weakness alone does not allow privilege escalation; together with UACs auto-elevation (mis)feature for protected administrators, which can be (ab)used to create (or replace) arbitrary files in %SystemRoot%\ and below using (for example) the command line

"%SystemRoot%\System32\WUSA.exe" "‹cabinet file›" /Extract:"‹target directory›"

it but becomes an exploitable vulnerability!

Implementation and Build Details

SENTINEL.DLL and SENTINEL.EXE are pure Win32 binary executables, written in ANSI C, built with the ~~Platform SDK for Windows Server 2003 R2~~ Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows ~~2000~~ XP and newer versions of Windows NT as well as Windows PE.

SENTINEL.DLL exports DllCanUnloadNow and DllGetClassObject to support calls from COM, DllInstall, DllRegisterServer and DllUnregisterServer to support calls from RegSvr32.exe, plus RunDLLA and RunDLLW to support calls from RunDLL32.exe.

SENTINEL.DLL and SENTINEL.EXE are available for the I386 alias x86, AMD64 alias x64 and IA64 processor architectures of Windows NT, localised for English and German.

Authenticity and Integrity

SENTINEL.EXE, SENTINEL.DLL and the cabinet file SENTINEL.CAB are digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.

Serial number of the certificate: 0x04638DAF = 73633199
Fingerprint of the certificate: MD5: 25 a0 d6 b0 bc 37 fe 49 42 d1 64 ca e6 7a f5 7f; SHA-1: 47 79 b5 28 f0 84 e6 ce f8 77 7b 62 dc c4 b3 1f fe de 07 14

Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Download

AMD64\SENTINEL.DLL, AMD64\SENTINEL.EXE, I386\SENTINEL.DLL, I386\SENTINEL.EXE, IA64\SENTINEL.DLL, IA64\SENTINEL.EXE and the setup script SENTINEL.INF are packaged in the (compressed and digitally signed) cabinet file SENTINEL.CAB.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>EXTRACT.EXE /D SENTINEL.CAB
Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512
Copyright (c) Microsoft Corporation. All rights reserved..

 Cabinet SENTINEL.CAB

07-07-2017  2:04:02p A---        40,688 SENTINEL.INF
02-06-2017  3:12:28p A---        43,704 AMD64\SENTINEL.DLL
02-06-2017  3:12:30p A---        43,192 AMD64\SENTINEL.EXE
02-06-2017  3:12:20p A---        42,680 I386\SENTINEL.DLL
02-06-2017  3:12:22p A---        42,680 I386\SENTINEL.EXE
02-06-2017  3:12:38p A---        53,432 IA64\SENTINEL.DLL
02-06-2017  3:12:38p A---        53,432 IA64\SENTINEL.EXE
                 7 Files        319,808 bytes

X:\>DIR SENTINEL.CAB
 Volume in drive X has no label.
 Volume Serial Number is 1957-0427

 Directory of X:\

07/07/2017  02:35 PM            47,453 SENTINEL.CAB
               1 File(s)         47,453 bytes
               0 Dir(s)    9,876,543,210 bytes free

X:\>SIGNTOOL.EXE Verify /V SENTINEL.CAB

Verifying: SENTINEL.CAB
SHA1 hash of file: (not calculated)
Signing Certificate Chain:
    Issued to: WEB.DE TrustCenter
    Issued by: WEB.DE TrustCenter
    Expires:   30.08.2024 09:49:34
    SHA1 hash: C8301016951187E6320569B3ED54F34845B51638

        Issued to: WEB.DE TrustCenter E-Mail Certification Authority
        Issued by: WEB.DE TrustCenter
        Expires:   30.08.2024 09:50:51
        SHA1 hash: 8946380C6E370988FB587257A9F9A5CD323045F0

            Issued to: Stefan Kanthak
            Issued by: WEB.DE TrustCenter E-Mail Certification Authority
            Expires:   14.09.2017 15:14:26
            SHA1 hash: 4779B528F084E6CEF8777B62DCC4B31FFEDE0714

The signature is timestamped: 07.07.2017 14:35:26
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   01.01.2021 01:59:59
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   31.12.2020 01:59:59
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   30.12.2020 01:59:59
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Successfully verified: SENTINEL.CAB

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

X:\>

On Windows Vista and newer versions of Windows NT, run the following command line to extract all files into the specified directory, preserving their paths:

"%SystemRoot%\System32\Expand.exe" SENTINEL.CAB /F:* "‹target directory›"

Note: Expand.exe from prior versions of Windows NT ignores the paths and junks them; use Extract.exe from the Support Tools on Windows XP and Windows Server 2003 instead!

Note: if you open SENTINEL.CAB with Windows Explorer, switch to Details view and turn on the Path column!

Makefile and Build Instructions

Optionally perform the following 3 simple steps to build SENTINEL.DLL and SENTINEL.EXE from their sources and sign them with your own X.509 certificate.

Download the makefile SENTINEL.MAK and save it in an arbitrary, preferable empty directory.
Download the icon SENTINEL.ICO and save it in the directory used in step 1.
Run the following command line to build both SENTINEL.DLL and SENTINEL.EXE:
```
NMAKE.EXE /R /F SENTINEL.MAK
```
Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

Note: translations of the MESSAGETABLE and STRINGTABLE resources into other languages are welcome!

Demonstration

Perform the following 11 (plus 1 optional) steps to experience the full capability of the Vulnerability and Exploit Detector:

Download the makefile SENTINEL.MAK and the icon SENTINEL.ICO into your Temp directory %TMP%\:

BITSADMIN.EXE /TRANSFER Sentinel /DOWNLOAD /PRIORITY FOREGROUND https://skanthak.hier-im-netz.de/download/SENTINEL.MAK "%TMP%\SENTINEL.MAK" https://skanthak.hier-im-netz.de/download/SENTINEL.ICO "%TMP%\SENTINEL.ICO"

Create a new directory with an arbitrary name, for example SystemRoot\, in the root directory of the Windows drive:
```
MKDIR "%SystemDrive%\SystemRoot"
```
Create the subdirectory %SystemDrive%\SystemRoot\System32\ in the empty directory created in step 2., then copy the makefile SENTINEL.MAK and the icon SENTINEL.ICO downloaded in step 1. into the new subdirectory:
```
MKDIR "%SystemDrive%\SystemRoot\System32"
COPY "%TMP%\SENTINEL.MAK" "%SystemDrive%\SystemRoot\System32"
COPY "%TMP%\SENTINEL.ICO" "%SystemDrive%\SystemRoot\System32"
```
```
        1 file(s) copied.
        1 file(s) copied.
```

Start the 32-bit build environment for 32-bit targets in the subdirectory %SystemDrive%\SystemRoot\System32\ created in step 3., then build a minefield of 32-bit forwarder DLLs in this subdirectory and clean up:

NMAKE.EXE /R /F SENTINEL.MAK all clean
ERASE SENTINEL.MAK SENTINEL.ICO

Microsoft (R) Program Maintenance Utility Version 14.25.28614.0
Copyright (C) Microsoft Corporation.  All rights reserved.

	MC.EXE /b /c /n /u /v /z SENTINEL /U nm54B1.tmp
MC: Compiling nm54B1.tmp
nm54B1.tmp(3) : warning : Redefining value of English
Writing .\SENTINEL_ENU.bin
    [a0000001 .. a0000004] - 2900 bytes
    Total of 4 messages, 2916 bytes
Writing .\SENTINEL_GER.bin
    [a0000001 .. a0000004] - 3216 bytes
    Total of 4 messages, 3232 bytes
	RC.EXE /DUNICODE /FoSENTINEL_DLL.RES /L 0 /N /R /V nm54B4.tmp
Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
Copyright (C) Microsoft Corporation.  All rights reserved.

Using codepage 1252 as default
Creating SENTINEL_DLL.RES

nm54B4.tmp.
Writing MESSAGETABLE:1, lang:0x9,       size 2916.
Writing MESSAGETABLE:1, lang:0x7,       size 3232...
Writing ICON:1, lang:0x0,       size 9640
Writing ICON:2, lang:0x0,       size 4264
Writing ICON:3, lang:0x0,       size 1128
Writing GROUP_ICON:1,   lang:0x0,       size 48.
Writing 24:1,   lang:0x0,       size 959.
Writing VERSION:1,      lang:0x0,       size 2288
Writing STRING:1,       lang:0x7,       size 470
Writing STRING:1,       lang:0x9,       size 376
	CVTRES.EXE /BREPRO /NOLOGO /OUT:SENTINEL_DLL.CVT /READONLY SENTINEL_DLL.RES
CVTRES : warning CVT4001: machine type not specified; assumed X86
	CL.EXE /Brepro /c /DCALLER /DEVENTLOG /DGSCOOKIE /DSOUND /DTHREAD /DUSERICON /FoSENTINEL_DLL.OBJ /GA /GF /GS /Gw /Gy /nologo /O1 /Os /Oy- /Tcnm5551.tmp /W4 /wd4090 /wd4100 /wd4201 /we4013 /Zl
nm5551.tmp
	CL.EXE /Brepro /c /FoSENTINEL.OBJ /GA /GF /GS /Gw /Gy /nologo /O1 /Os /Oy- /Tcnm560E.tmp /W4 /wd4047 /we4013 /Zl
nm560E.tmp
nm560E.tmp(52): warning C4142: '__security_cookie': benign redefinition of type
C:\Program Files\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.25.28610\include\vcruntime.h(349): note: see declaration of '__security_cookie'
nm560E.tmp(214): warning C4028: formal parameter 1 different from declaration
	CERTUTIL.EXE /DecodeHex /F /V nm568C.tmp SENTINEL.DOS
Input Length = 657
Output Length = 144
CertUtil: -decodehex command completed successfully.
	LINK.EXE /LINK /ALLOWBIND:NO /BREPRO /DEF:nm568D.tmp /DLL /DYNAMICBASE /ENTRY:_DllMainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /NOLOGO /NXCOMPAT /OPT:REF /OSVERSION:5.1 /OUT:SENTINEL.DLL /RELEASE /STUB:SENTINEL.DOS /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /TEST /VERSION:1.0 SENTINEL.OBJ SENTINEL_DLL.OBJ SENTINEL_DLL.CVT ADVAPI32.LIB KERNEL32.LIB USER32.LIB
LINK : file alignment: 512, section alignment: 4096
LINK : section '.xdata' (40000040) merged into '.rdata' (40000040)
LINK : section '.gfids' (40000040) merged into '.rdata' (40000040)
LINK : section '.giats' (40000040) merged into '.rdata' (40000040)
LINK : section '.gljmp' (40000040) merged into '.rdata' (40000040)
LINK : section '.gehcont' (40000040) merged into '.rdata' (40000040)
LINK : section '.gids' (40000040) merged into '.rdata' (40000040)
Total (unused) space reserved for emitting COFF contribution: 236 (0) bytes
	RC.EXE /DUNICODE /FoSENTINEL_EXE.RES /L 0 /N /R /V nm631B.tmp
Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
Copyright (C) Microsoft Corporation.  All rights reserved.

Using codepage 1252 as default
Creating SENTINEL_EXE.RES

nm631B.tmp.
Writing MESSAGETABLE:1, lang:0x9,       size 2916.
Writing MESSAGETABLE:1, lang:0x7,       size 3232...
Writing ICON:1, lang:0x0,       size 9640
Writing ICON:2, lang:0x0,       size 4264
Writing ICON:3, lang:0x0,       size 1128
Writing GROUP_ICON:1,   lang:0x0,       size 48.
Writing 24:1,   lang:0x0,       size 1335.
Writing VERSION:1,      lang:0x0,       size 2304
Writing STRING:1,       lang:0x7,       size 282
Writing STRING:1,       lang:0x9,       size 240
	CVTRES.EXE /BREPRO /NOLOGO /OUT:SENTINEL_EXE.CVT /READONLY SENTINEL_EXE.RES
CVTRES : warning CVT4001: machine type not specified; assumed X86
	CL.EXE /Brepro /c /DCALLER /DEVENTLOG /DGSCOOKIE /DPARENT /DPRIVILEGE /DSOUND /DUSERICON /FoSENTINEL_EXE.OBJ /GA /GF /GS /Gw /Gy /nologo /O1 /Os /Oy- /Tcnm63D8.tmp /W4 /wd4090 /wd4100 /wd4201 /we4013 /Zl
nm63D8.tmp
	LINK.EXE /LINK /BREPRO /DYNAMICBASE /ENTRY:wWinMainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /NOLOGO /NXCOMPAT /OPT:REF /OSVERSION:5.1 /OUT:SENTINEL.EXE /RELEASE /STUB:SENTINEL.DOS /SUBSYSTEM:WINDOWS /SWAPRUN:CD,NET /TEST /VERSION:1.0 SENTINEL.OBJ SENTINEL_EXE.OBJ SENTINEL_EXE.CVT ADVAPI32.LIB KERNEL32.LIB USER32.LIB
LINK : file alignment: 512, section alignment: 4096
LINK : section '.xdata' (40000040) merged into '.rdata' (40000040)
LINK : section '.gfids' (40000040) merged into '.rdata' (40000040)
LINK : section '.giats' (40000040) merged into '.rdata' (40000040)
LINK : section '.gljmp' (40000040) merged into '.rdata' (40000040)
LINK : section '.gehcont' (40000040) merged into '.rdata' (40000040)
LINK : section '.gids' (40000040) merged into '.rdata' (40000040)
Total (unused) space reserved for emitting COFF contribution: 236 (0) bytes
	Call SENTINEL.CMD
accessibilitycpl
…
wmiutils
	Erase SENTINEL.OBJ SENTINEL.LIB SENTINEL.EXP
	Erase SENTINEL.DOS
	Erase SENTINEL_EXE.OBJ SENTINEL_DLL.OBJ
	Erase SENTINEL_EXE.CVT SENTINEL_DLL.CVT
	Erase SENTINEL_EXE.RES SENTINEL_DLL.RES
	Erase SENTINEL.RC SENTINEL.H SENTINEL_???.BIN

Optionally on a 32-bit installation, create hardlinks to the 32-bit %SystemDrive%\SystemRoot\System32\SENTINEL.EXE built in step 4. in the subdirectory %SystemDrive%\SystemRoot\System32\ for all programs %SystemRoot%\System32\*.com and %SystemRoot%\System32\*.exe, and in the directory %SystemDrive%\SystemRoot\ for all programs %SystemRoot%\*.exe:

FOR %? IN ("%SystemRoot%\System32\*.com" "%SystemRoot%\System32\*.exe") DO @MKLINK /H "%SystemDrive%\SystemRoot\System32\%~nx?" "%SystemDrive%\SystemRoot\System32\SENTINEL.EXE"
FOR %? IN ("%SystemRoot%\*.exe") DO @MKLINK /H "%SystemDrive%\SystemRoot\%~nx?" "%SystemDrive%\SystemRoot\System32\SENTINEL.EXE"

Hardlink created for C:\SystemRoot\System32\….com <<===>> C:\SystemRoot\System32\SENTINEL.EXE
…
Hardlink created for C:\SystemRoot\System32\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE
Hardlink created for C:\SystemRoot\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE
…
Hardlink created for C:\SystemRoot\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE

On a 64-bit installation, rename the subdirectory %SystemDrive%\SystemRoot\System32\ created in step 3. to %SystemDrive%\SystemRoot\SysWoW64\, then create the subdirectory %SystemDrive%\SystemRoot\System32\ and copy the makefile SENTINEL.MAK plus the icon SENTINEL.ICO downloaded in step 1. into the new subdirectory:
```
MOVE "%SystemDrive%\SystemRoot\System32" SysWoW64
MKDIR "%SystemDrive%\SystemRoot\System32"
COPY "%TMP%\SENTINEL.MAK" "%SystemDrive%\SystemRoot\System32"
COPY "%TMP%\SENTINEL.ICO" "%SystemDrive%\SystemRoot\System32"
```
```
        1 file(s) copied.
        1 file(s) copied.
```
On a 64-bit installation, start the 64-bit build environment for 64-bit targets in the subdirectory %SystemDrive%\SystemRoot\System32\ created in step 5., then build a minefield of 64-bit forwarder DLLs in this subdirectory and clean up:
```
NMAKE.EXE /R /F SENTINEL.MAK all clean
ERASE SENTINEL.MAK SENTINEL.ICO
```

Optionally on a 64-bit installation, create hardlinks to the 32-bit %SystemDrive%\SystemRoot\SysWoW64\SENTINEL.EXE built in step 4. in the subdirectory %SystemDrive%\SystemRoot\SysWoW64\ for all programs %SystemRoot%\SysWoW64\*.com and %SystemRoot%\SysWoW64\*.exe, then create hardlinks to the 64-bit %SystemDrive%\SystemRoot\System32\SENTINEL.EXE built in step 7. in the subdirectory %SystemDrive%\SystemRoot\System32\ for all programs %SystemRoot%\System32\*.com and %SystemRoot%\System32\*.exe, and in the directory %SystemDrive%\SystemRoot\ for all programs %SystemRoot%\*.exe:

FOR %? IN ("%SystemRoot%\SysWoW64\*.com" "%SystemRoot%\SysWoW64\*.exe") DO @MKLINK /H "%SystemDrive%\SystemRoot\SysWoW64\%~nx?" "%SystemDrive%\SystemRoot\SysWoW64\SENTINEL.EXE"
FOR %? IN ("%SystemRoot%\System32\*.com" "%SystemRoot%\System32\*.exe") DO @MKLINK /H "%SystemDrive%\SystemRoot\System32\%~nx?" "%SystemDrive%\SystemRoot\System32\SENTINEL.EXE"
FOR %? IN ("%SystemRoot%\*.exe") DO @MKLINK /H "%SystemDrive%\SystemRoot\%~nx?" "%SystemDrive%\SystemRoot\System32\SENTINEL.EXE"

Hardlink created for C:\SystemRoot\SysWoW64\….com <<===>> C:\SystemRoot\SysWoW64\SENTINEL.EXE
…
Hardlink created for C:\SystemRoot\SysWoW64\….exe <<===>> C:\SystemRoot\SysWoW64\SENTINEL.EXE
Hardlink created for C:\SystemRoot\System32\….com <<===>> C:\SystemRoot\System32\SENTINEL.EXE
…
Hardlink created for C:\SystemRoot\System32\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE
Hardlink created for C:\SystemRoot\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE
…
Hardlink created for C:\SystemRoot\….exe <<===>> C:\SystemRoot\System32\SENTINEL.EXE

Copy all programs %SystemRoot%\*.exe into the subdirectory %SystemDrive%\SystemRoot\System32\:
```
COPY "%SystemRoot%\*.exe" "%SystemDrive%\SystemRoot\System32"
```
```
       13 file(s) copied.
```

On a 64-bit installation, ~~create hardlinks of~~ copy all files %SystemRoot%\SysWoW64\* which are missing in the subdirectory %SystemDrive%\SystemRoot\SysWoW64\, and create junctions to all subdirectories %SystemRoot%\SysWoW64\* in the subdirectory %SystemDrive%\SystemRoot\SysWoW64\:

FOR %? IN ("%SystemRoot%\SysWoW64\*") DO @IF NOT EXIST "%SystemDrive%\SystemRoot\SysWoW64\%~nx?" MKLINK /H "%SystemDrive%\SystemRoot\SysWoW64\%~nx?" "%~?" 2>NUL: || COPY "%~?" "%SystemDrive%\SystemRoot\SysWoW64\%~nx?"
FOR /D %? IN ("%SystemRoot%\SysWoW64\*") DO @MKLINK /J "%SystemDrive%\SystemRoot\SysWoW64\%~nx?" "%~?"

        1 file(s) copied.
…
        1 file(s) copied.
Junction created for C:\SystemRoot\SysWoW64\… <<===>> C:\Windows\SysWoW64\…
…
Junction created for C:\SystemRoot\SysWoW64\… <<===>> C:\Windows\SysWoW64\…

~~Create hardlinks of~~ Copy all files %SystemRoot%\System32\* which are missing in the subdirectory %SystemDrive%\SystemRoot\System32\, and create junctions to all subdirectories %SystemRoot%\System32\* in the subdirectory %SystemDrive%\SystemRoot\System32\:

FOR %? IN ("%SystemRoot%\System32\*") DO @IF NOT EXIST "%SystemDrive%\SystemRoot\System32\%~nx?" MKLINK /H "%SystemDrive%\SystemRoot\System32\%~nx?" "%~?" 2>NUL: || COPY "%~?" "%SystemDrive%\SystemRoot\System32\%~nx?"
FOR /D %? IN ("%SystemRoot%\System32\*") DO @MKLINK /J "%SystemDrive%\SystemRoot\System32\%~nx?" "%~?"

        1 file(s) copied.
…
        1 file(s) copied.
Junction created for C:\SystemRoot\System32\… <<===>> C:\Windows\System32\…
…
Junction created for C:\SystemRoot\System32\… <<===>> C:\Windows\System32\…

~~Create hardlinks of~~ Copy all files %SystemRoot%\* which are missing in the directory %SystemDrive%\SystemRoot\, and create junctions to all subdirectories %SystemRoot%\* which are missing in the directory %SystemDrive%\SystemRoot\:

FOR %? IN ("%SystemRoot%\*") DO @IF NOT EXIST "%SystemDrive%\SystemRoot\%~nx?" MKLINK /H "%SystemDrive%\SystemRoot\%~nx?" "%~?" 2>NUL: || COPY "%~?" "%SystemDrive%\SystemRoot\%~nx?"
FOR /D %? IN ("%SystemRoot%\*") DO @IF NOT EXIST "%SystemDrive%\SystemRoot\%~nx?" MKLINK /J "%SystemDrive%\SystemRoot\%~nx?" "%~?"

        1 file(s) copied.
…
        1 file(s) copied.
Junction created for C:\SystemRoot\… <<===>> C:\Windows\…
…
Junction created for C:\SystemRoot\… <<===>> C:\Windows\…

Start arbitrary programs, especially those copied from the subdirectories %SystemRoot%\System32\ and %SystemRoot%\SysWoW64\ plus the directory %SystemRoot%\ into the subdirectories %SystemDrive%\SystemRoot\System32\ and %SystemDrive%\SystemRoot\SysWoW64\ plus the directory %SystemDrive%\SystemRoot\, those registered in the Start Menu and those which request elevation, perform arbitrary actions like …, and notice which programs or actions yield the message box shown above!
Optionally set the user environment variable SystemRoot to the value %SystemDrive%\SystemRoot and repeat the previous step 11.:
```
"%SystemRoot%\System32\SetX.exe" SystemRoot "%SystemDrive%\SystemRoot"
```

Installation

Installation requires administrative privileges and access rights.

The setup script SENTINEL.INF copies SENTINEL.DLL and SENTINEL.EXE as %SystemRoot%\System32\.dll and %SystemRoot%\System32\.exe, as %SystemDrive%\Program.dll and %SystemDrive%\Program.exe, as "%ProgramFiles%\Common.dll" and "%ProgramFiles%\Common.exe", as "%ProgramFiles%\Internet.dll" and "%ProgramFiles%\Internet.exe", as "%ProgramFiles%\Microsoft.dll" and "%ProgramFiles%\Microsoft.exe", as "%ProgramFiles%\Windows.dll" and "%ProgramFiles%\Windows.exe", as "%CommonProgramFiles%\Microsoft.dll" and "%CommonProgramFiles%\Microsoft.exe", with various filenames into the user’s Downloads directory "%USERPROFILE%\Downloads\" and the system’s Temp directory %SystemRoot%\Temp\, creates Software Restriction Policies alias SAFER hash rules to allow execution of both SENTINEL.DLL and SENTINEL.EXE from any path, defines the message source for the Event Log in the Registry, creates an entry Vulnerability and Exploit Detector under Installed Updates, and finally executes both SENTINEL.DLL and SENTINEL.EXE from the installation directory to demonstrate and verify their proper function.

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment to install SENTINEL.DLL and SENTINEL.EXE for both processor architectures!

SENTINEL.CMD copies both SENTINEL.DLL and SENTINEL.EXE as %SystemDrive%\Program.dll and %SystemDrive%\Program.exe, optionally creates the hardlinks %SystemDrive%\Documents.dll and %SystemDrive%\Documents.exe to the copied files if "%SystemDrive%\Documents and Settings"\ exists, creates hardlinks aside to some or all subdirectories which contain a space in their name beneath the directories %SystemRoot%\, "%ProgramFiles%\" and (if it exists) "%ProgramFiles(x86)%\" as well as "%USERPROFILE%\", and imports SENTINEL.REG into the Registry.

Automatic online installation

When visited with Internet Explorer, this web page will prompt to install (the contents of) the package using Internet Component Download.

Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!

Manual offline installation

Download the package SENTINEL.CAB and verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script SENTINEL.INF to display its context menu and click Install to run the installation.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Note: SENTINEL.EXE is run during installation for every processor architecture and displays the message box shown on top!

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Not provided.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.