Protect KnownDLL Lookup Table

NT creates a lookup table for system DLLs so that they are only loaded into
memory once. Normal users can edit this list which means that the system will
any arbitrary DLL (perhaps a trojan – perhaps destructive) instead of a system
DLL. The DLLs are executed in the security context of the calling process. When
an admin or other power account runs the replaced DLL, the hacker could easily
gain admin access. To block this hack, set the ProtectMode=1.

Key: System\CurrentControlSet\Control\Session

Name: ProtectionMode
Value: 1

You will see Session Manager with space and SessionManager. Its
the one with the space. Microsoft’s original security bulletin pointed to wrong
sub-key. Microsoft’s updated bulletin
announces a hot-fix and recommends using the hot-fix rather than this registry
change. If you read the security bulletin issue section carefully, it becomes
apparent that the exposure should be addressed by workstation support and
environments with server pools services by individuals with console access but
at various access levels (i.e. account operators, server operators, backup
operators). I strongly recommend applying the hot-fix in that kind of server
For others I would recommend waiting for the hot-fix to get
integrated into a Service Pack. This is the kind of thing they are paying you
BIG bucks for, study the issue and make your own call. Read the “Issue” section
of the security alert to get the best writeup on the issue.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top