Using batchpatch for unprivileged user access to system32\config files

[evit]

I’m sure everyone has seen this recent vulnerability in Windows which gives unprivileged user access to system32\config files.

https://kb.cert.org/vuls/id/506989

Any suggestions on how to use Batchpatch to fix this issue?

[doug]

The link you posted contains simple instructions for how to implement a workaround for the vulnerability:

Vulnerable systems can enable ACL inheritance for files in the %windir%\system32\config directory by running the following command from an elevated prompt:

icacls %windir%\system32\config\*.* /inheritance:e
Once the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:

vssadmin delete shadows /for=%systemdrive% /Quiet
Confirm that VSS shadow copies were deleted by running vssadmin list shadows again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see KB5005357 for more details.

Each of the three commands mentioned above can be simply dropped, individually, into a ‘Remote Command (Logged Output)’ in BatchPatch.

icacls %windir%\system32\config\*.* /inheritance:e
vssadmin delete shadows /for=%systemdrive% /Quiet
vssadmin list shadows

[Author]

Posts