This is NOT a bug or exploit! This key has legitimate use, and, when used with an actual debugger, can make finding and fixing bugs easier! The reason you encounter the issues in the video is that svchost is not a debugger, and instead just exits without doing anything when executed like this, essentially causing winlogon to act as though not present.
@@teknixstuff Yep, that was what I explained in the video - but the fact that Defender doesn't catch the debugger values being used in this way when referencing a system file is somewhat a concern. They've patched or added Defender flags for other things that aren't outright malicious, like the sethc.exe cmd workaround.
@@yourpcpal Yes, but sethc has obvious security implications and few legitimate uses. Debugging winlogon is a thing that is common to legitimately do, and Microsoft's docs even explain how to do it properly for certain things.
@@teknixstuff you're not getting what I'm saying. Setting that key manually is actually not common at all. In my years of working in IT I've never had to (or heard of anyone else having to) debug winlogon in this way.
Indeed. IFEO is used extensively for bug mitigation (many features, such as fault-tolerant heap, per-process DEP and ASLR etc. are configured here), redirecting executables to another one (this is how the "replace Task Manager with Process Explorer" feature works), deep process tracing and performance monitoring (xperf.exe uses it) and of course attaching a debugger to difficult-to-trap-startup processes (such as system services and Winlogon). This is why it's an adminstrator-only key. If you have admin privs and want to "destroy Windows", just delete System32. These Enderman, Britec, LagLife etc. videos are just "style points", as Raymond Chen likes to say.
"There is nothing odd about this [regular installation of Windows XP]" Yeah. Except for that innocuous Windows Security Icon showing a ToolTip about the currently playing song... 😄
@@teknixstuff Oh, it did. And it was horrible. At that time, Microsoft had two optional softwares: "Windows Defender" and "Microsoft Security Essentials". Defender didn't really do what it does today, that was MSE's job. Both programs later got merged at some point into what we have now. What I was saying earlier was about *Windows 10*, where Defender should _definitely_ have catched this, because malware actually does this to stay in the system.
Windows defender in Windows 11 does automatically delete this, I tried to do this on utilman (override accessibility menu with cmd), and the CMD window did appear, but immediately disappeared. And when I log back in, I see that the value is gone.
Oh, I use it for opening Notepad++ every time open notepad. Clever thing and I've never thought it could be as hazardous as you showed it. Also never thought this key exists in XP.
This is why I always have a PXE backup so I can remote access the hive or just outright reset the registry completely. Though it does pose a few interesting thoughts as it allows process co-loading but that is mainly explorative thoughts something to test in a VM at some point.
heyoooooo! enjoying this. its the first vid ive seen from you and i am now subscribbled to you and hope to see more of ya. dunno if you're new or not but regardless you're makin' it, bc you were in my recommended feed!
Yes this will work on any Windows NT based version, but the result may be different as it depends on the value you input in the "debugger" parameter. Input a program name that the system will not use in startup (e.g. calc.exe) will result a blue screen with error 0xC000021A (other possible errors such as 0x3B, 0xEF or 0xF4), otherwise the system may just soft lock with a blank screen.
This seems actually very dangerous, however, it it possible that Microsoft will release an update even for every non-supported Windows version (maybe like when Wannacry was terrorizing the world, Microsoft released an update for Win XP). Doesn't the Windows Defender monitor the registry as part of the Real-Time protection ? Great video, hope it gets more views !
@@yourpcpal they rarely unless its a script that does over ...im not sure how many lines but it has to be more than the entire script of 20 LTT videos cause of how bad it is
4:50 It's easy. Have a Windows installation ISO file and burn it so that you may use it as a recovery media. Open the CMD from it and type "Regedit" and mount the hive which you've played with so that you may undo your change which corrupted your operating system. Do not forget to unmount it later but NEVER DELETE ITTTTTTT AT ALL COSTTTTT!!!!!
Hey PCPal I always love your videos! Could you maybe make a video sometime on install a Windows virus (for educational purposes only of course)? I think it would be interesting to see how something like this works and what you can learn about the dangers and security of your computer.
I never messed with Regedit before I moved away from Windows, always felt like a giant minefield. Not like messing with root stuff of other OS's don't come with that risk too, but Regedit just felt very clunky for stuff that many would like to do but couldn't outside of it like file icons and such. Is it better now with Powershell/WinTerminal or nah?
Not really. Think of it like /etc. If you make bad choices messing around on a Linux machine and change the wrong thing, bad things can happen. Prior to Windows 3.1, all programs used .ini files to control settings, but there wasn't a standard for the file structure itself, nor where to put that file. The registry added security protection on different keys restricting other programs from overwriting parts. It also has specific data types it uses, so you know if you're getting a string or an unsigned integer. In short, the registry is a powerful tool for making Windows consistent and provides a persistent location to save information independent of the location of a program on the filesystem. For all the applications which bundle a version of SQLite with them, they're sort of taking a giant step backwards to before Windows 3.1 and adding an additional level of complexity which makes that information harder for a user to modify.
Doesn't windows keep a backup of a factory fresh copy of your registry??? Couldn't you just go into recovery mode and boot up windows with the backup registry?????
@@icantcomeupwithnames469 Ooh wow 🤣 Thanks genius. I had no idea that when I have full control of a computer that it's possible to break it. 🤣 Ever loaded a .hiv file into regedit, or formatted a disk?
On later versions of Windows (e.g. Windows 10), will the Command Prompt (where you can run regedit) from the Recovery Options also work to solve this problem?
@@yourpcpalYou need to load the registry hives from your actual OS image. File > Load Registry Hive, and from memory i think they're in C:\System32\Config. WinPE is just a cutdown version of Windows, so it still has its own registry, which regedit will open by default
This is NOT a bug or exploit! This key has legitimate use, and, when used with an actual debugger, can make finding and fixing bugs easier! The reason you encounter the issues in the video is that svchost is not a debugger, and instead just exits without doing anything when executed like this, essentially causing winlogon to act as though not present.
@@teknixstuff Yep, that was what I explained in the video - but the fact that Defender doesn't catch the debugger values being used in this way when referencing a system file is somewhat a concern. They've patched or added Defender flags for other things that aren't outright malicious, like the sethc.exe cmd workaround.
@@yourpcpal Yes, but sethc has obvious security implications and few legitimate uses. Debugging winlogon is a thing that is common to legitimately do, and Microsoft's docs even explain how to do it properly for certain things.
@@teknixstuff you're not getting what I'm saying. Setting that key manually is actually not common at all. In my years of working in IT I've never had to (or heard of anyone else having to) debug winlogon in this way.
Indeed. IFEO is used extensively for bug mitigation (many features, such as fault-tolerant heap, per-process DEP and ASLR etc. are configured here), redirecting executables to another one (this is how the "replace Task Manager with Process Explorer" feature works), deep process tracing and performance monitoring (xperf.exe uses it) and of course attaching a debugger to difficult-to-trap-startup processes (such as system services and Winlogon).
This is why it's an adminstrator-only key. If you have admin privs and want to "destroy Windows", just delete System32. These Enderman, Britec, LagLife etc. videos are just "style points", as Raymond Chen likes to say.
There's always a cynic. I highly encourage you to make a channel and share your insights/knowledge in video form :)
"There is nothing odd about this [regular installation of Windows XP]"
Yeah. Except for that innocuous Windows Security Icon showing a ToolTip about the currently playing song...
😄
Glad you thought that was a real ToolTip, I must be getting better at Photoshop ;)
Oh crap. This is a nightmare. The fact Windows Defender didn't check this key and instantly removed it, is worrysome.
Windows XP never had defender.
@@teknixstuff Oh, it did. And it was horrible. At that time, Microsoft had two optional softwares: "Windows Defender" and "Microsoft Security Essentials". Defender didn't really do what it does today, that was MSE's job. Both programs later got merged at some point into what we have now.
What I was saying earlier was about *Windows 10*, where Defender should _definitely_ have catched this, because malware actually does this to stay in the system.
@@teknixstuff Windows 10's version of Defender didn't catch this either, which is probably what they're referencing
Windows defender in Windows 11 does automatically delete this, I tried to do this on utilman (override accessibility menu with cmd), and the CMD window did appear, but immediately disappeared. And when I log back in, I see that the value is gone.
@BurnerAccount101-ui4et thanks for this comment! Will confirm later. Interesting that they didn't roll out whatever is detecting it to Windows 10.
Oh, I use it for opening Notepad++ every time open notepad. Clever thing and I've never thought it could be as hazardous as you showed it. Also never thought this key exists in XP.
this is fucking genuis
This is why I always have a PXE backup so I can remote access the hive or just outright reset the registry completely.
Though it does pose a few interesting thoughts as it allows process co-loading but that is mainly explorative thoughts something to test in a VM at some point.
heyoooooo! enjoying this. its the first vid ive seen from you and i am now subscribbled to you and hope to see more of ya. dunno if you're new or not but regardless you're makin' it, bc you were in my recommended feed!
Thanks
_yet another "step 0: get administrator privileges" video_
If you have admin privs, just delete System32 to "destroy Windows".
Format c drive via cmd, it always works to brick windows
Very informative and exhaustive video! Good work! Keep it up!
Yes this will work on any Windows NT based version, but the result may be different as it depends on the value you input in the "debugger" parameter.
Input a program name that the system will not use in startup (e.g. calc.exe) will result a blue screen with error 0xC000021A (other possible errors such as 0x3B, 0xEF or 0xF4), otherwise the system may just soft lock with a blank screen.
This seems actually very dangerous, however, it it possible that Microsoft will release an update even for every non-supported Windows version (maybe like when Wannacry was terrorizing the world, Microsoft released an update for Win XP). Doesn't the Windows Defender monitor the registry as part of the Real-Time protection ? Great video, hope it gets more views !
Thanks :)
Also to answer your question, I believe Windows Defender does monitor certain registry keys but it seems MS devs have overlooked this one.
@@yourpcpal they rarely unless its a script that does over ...im not sure how many lines but it has to be more than the entire script of 20 LTT videos cause of how bad it is
4:50 It's easy. Have a Windows installation ISO file and burn it so that you may use it as a recovery media. Open the CMD from it and type "Regedit" and mount the hive which you've played with so that you may undo your change which corrupted your operating system. Do not forget to unmount it later but NEVER DELETE ITTTTTTT AT ALL COSTTTTT!!!!!
Hey PCPal I always love your videos! Could you maybe make a video sometime on install a Windows virus (for educational purposes only of course)? I think it would be interesting to see how something like this works and what you can learn about the dangers and security of your computer.
I never messed with Regedit before I moved away from Windows, always felt like a giant minefield. Not like messing with root stuff of other OS's don't come with that risk too, but Regedit just felt very clunky for stuff that many would like to do but couldn't outside of it like file icons and such. Is it better now with Powershell/WinTerminal or nah?
Not really. Think of it like /etc. If you make bad choices messing around on a Linux machine and change the wrong thing, bad things can happen. Prior to Windows 3.1, all programs used .ini files to control settings, but there wasn't a standard for the file structure itself, nor where to put that file. The registry added security protection on different keys restricting other programs from overwriting parts. It also has specific data types it uses, so you know if you're getting a string or an unsigned integer.
In short, the registry is a powerful tool for making Windows consistent and provides a persistent location to save information independent of the location of a program on the filesystem. For all the applications which bundle a version of SQLite with them, they're sort of taking a giant step backwards to before Windows 3.1 and adding an additional level of complexity which makes that information harder for a user to modify.
Doesn't windows keep a backup of a factory fresh copy of your registry??? Couldn't you just go into recovery mode and boot up windows with the backup registry?????
I don't know about the recent versions of Windows. But versions before Windows 10 don't do that. You have to manually make your own backups.
@@DavyB81 Windows 98 did a registry backup with every successful boot.
Please stop giving me ideas
Please reduce flashing lights, like when the vmware logo was flashing after resetting windows xp
This channel should be more popular
This is a type of thing a little cousin would do
this is an issue on modern windows as well as xp then?
@@iGPR3 Yep, haven't tested on 11 yet but it definitely does the same thing on 10, just without a bluescreen
@@yourpcpal damn, microsoft better hop on this asap. wouldnt be surprised if it takes them a good while though
Lots of registry keys destroy windows lol
And not just the registry, many, many things you can do with administrator permissions can destroy Windows.
@@icantcomeupwithnames469 Ooh wow 🤣
Thanks genius.
I had no idea that when I have full control of a computer that it's possible to break it. 🤣
Ever loaded a .hiv file into regedit, or formatted a disk?
@@6sicSIX "Ever do basic administrative tasks?"
Yeah?
@@icantcomeupwithnames469 Good, I was just checking your level of competence.
This is a best computer prank ever
A nie można w trybie awaryjnym?
Nope, winlogon is still loaded in safe mode so you just get a black screen.
@@yourpcpal copy that 🍻
On later versions of Windows (e.g. Windows 10), will the Command Prompt (where you can run regedit) from the Recovery Options also work to solve this problem?
Your comment was super interesting. On trying, it seems not as the whole list of keys doesn't show for some reason.
snipboard.io/S0KW1x.jpg
Yes
@@yourpcpalits because its a Windows PE environment which is completely seperate from your normal Windows installation
In theory you should be able to load the hide file the same way in the registry editor (load hive), delete the key, unload the hive, and reboot.
@@yourpcpalYou need to load the registry hives from your actual OS image. File > Load Registry Hive, and from memory i think they're in C:\System32\Config.
WinPE is just a cutdown version of Windows, so it still has its own registry, which regedit will open by default
I will never try this since I do not want to any access!!!
This is wild considering I use a combo. Of Mac and a laptop
Here before your channel explodes like an atomic bomb and gains 100k subs
same lol
Good that it destroys Windows... then you can install some Linux based distro instead... :-)