Re: possible regedit bulk key deletion vulnerability (Revised)

At 11:08 PM 11/15/2004, you wrote:
> It would not take someone with a lot of smarts to misuse this simple
> incomplete key (which regedit appearently interprets as a global delete of
> all the keys). Malware or a virus could simply dynamically build a .reg file
> or copy one (say malware.reg for example) with the above delete key
> specification, and place an item under the
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
> "regedit malware.reg /s". Using this example the machine can be rendered
> useless when it was restarted.

Far easier for the malware to use the API that Microsoft thoughtfully
provided for just that purpose:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/reference/shlwapi/registry/shdeletekey.asp

> begging the point that maybe regedit should also only allowed to run by
> administrators.

Of course, only an administrator could have deleted HKLM anyway...

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--