VULHUB ™

When a user logs into an NT machine, there are a few processes that are started automatically, including explorer.exe. These programs are normally in %winroot% or %winroot%\system32. The problem is that NT will look for these programs first in the user's home directory. If no user folder is specified, it will look in the root of the system drive. Only if the program it is looking for is not found in that location will it look in the 'normal' location. This allows any user to rename any executable and have it run at login, effectively bypassing many policy restrictions. The list of currently known filenames that will work is: explorer.exe, nddeagnt.exe, taskmgr.exe and userinit.exe .

When a user logs into an NT machine, there are a few processes that are started automatically, including explorer.exe. These programs are normally in %winroot% or %winroot%\system32. The problem is that NT will look for these programs first in the user's home directory. If no user folder is specified, it will look in the root of the system drive. Only if the program it is looking for is not found in that location will it look in the 'normal' location. This allows any user to rename any executable and have it run at login, effectively bypassing many policy restrictions. The list of currently known filenames that will work is: explorer.exe, nddeagnt.exe, taskmgr.exe and userinit.exe .