Hi @ll, poor implementation is one of the most notable^Wnotorious properties of Windows, providing it with a HUGE attack surface -- and Microsoft just doesn't care! Case/issue 67: FOR NO GOOD REASON, ONLY privileged processes running under the SYSTEM account share their TEMP directory since 20 years with all (unprivileged) users, allowing local escalation of privilege. At least the following CWEs apply: For some of the resulting vulnerabilities see , , alias or , alias or , alias , ... Act 1 (History): ~~~~~~~~~~~~~~~~ With Windows 2000, Microsoft moved all user profiles from their previous (original) location "%SystemRoot%\Profiles\" into the then new directory "%SystemDrive%\Documents and Settings\" They also introduced a user profile for the (privileged) user account "NT AUTHORITY\SYSTEM" alias "LocalSystem" in the new directory "%SystemRoot%\System32\Config\SystemProfile\" Additionally the world-writable TEMP directory "%SystemRoot%\Temp\", which was shared by all users in previous versions of Windows NT, was replaced with private and separate TEMP directories "%USERPROFILE%\Local Settings\Application Data\Temp\" alias "%SystemDrive%\Documents and Settings\%USERNAME%\Local Settings\Application Data\Temp\" located within the user profiles -- EXCEPT for the SYSTEM account, which continued (and still continues) to use the (still world-writable) directory "%SystemRoot%\Temp\"! What (or who) but stopped them from moving the TEMP directory for the SYSTEM account into its user profile? First chance lost! Act 2 (History): ~~~~~~~~~~~~~~~~ With Windows XP, Microsoft added the (unprivileged) user accounts "NT AUTHORITY\LocalService" and "NT AUTHORITY\NetworkService", placed their user profiles in the new directory "%SystemRoot%\ServiceProfiles\", set their user environment variables TEMP and TMP to %USERPROFILE%\Local Settings\Application Data\Temp, and created their private TEMP directory within both user profiles. What (or who) but stopped them from moving the TEMP directory for the SYSTEM account into its user profile? Second chance lost! Act 3 (History): ~~~~~~~~~~~~~~~~ With Windows Vista, Microsoft relocated the "normal" user profiles into the directories "%SystemDrive%\Users\%USERNAME%\", while the other user profiles remained in the directories introduced with Windows 2000 and Windows XP. Also ALL user accounts except SYSTEM kept their private and separate TEMP directory, now "%USERPROFILE%\AppData\Local\Temp\" alias "%SystemDrive%\Users\%USERNAME%\AppData\Local\Temp\" for "normal" user accounts and "%SystemRoot%\ServiceProfiles\%USERNAME%\AppData\Local\Temp\" for the service user accounts. What (or who) but stopped them from moving the TEMP directory for the SYSTEM account into its user profile? Third chance lost! Act 4 (Today): ~~~~~~~~~~~~~~ And now the highlight: at least since Windows 7, Microsoft finally sets the user environment variables TEMP and TMP of the SYSTEM account to "%USERPROFILE%\AppData\Local\Temp\" too, despite the missing directory "%SystemRoot%\System32\Config\SystemProfile\AppData\Local\Temp\" in its user profile! Start the registry editor and take a look into the registry keys [HKEY_CURRENT_USER\Environment] [HKEY_LOCAL_MACHINE\SOFTWARE\DefaultUserEnvironment] [HKEY_USERS\.DEFAULT\Environment] [HKEY_USERS\S-1-5-18\Environment] ; S-1-5-18 = LocalSystem [HKEY_USERS\S-1-5-19\Environment] ; S-1-5-19 = LocalService [HKEY_USERS\S-1-5-20\Environment] ; S-1-5-20 = NetworkService They ALL contain at least the following two registry entries: "TEMP"=expand:"%USERPROFILE%\\AppData\\Local\\Temp" "TMP"=expand:"%USERPROFILE%\\AppData\\Local\\Temp" "Thanks" to BRAINDEAD and UNDOCUMENTED behaviour, Windows but ignores the TEMP and TMP user environment variables under the SYSTEM account; processes started there use the system environment variables instead, which are present in the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment] "TEMP"=expand:"%SystemRoot%\\TEMP" "TMP"=expand:"%SystemRoot%\\TEMP" Since unprivileged users can create files and subdirectories in the directory "%SystemRoot%\TEMP", this constitutes a well-known and well-documented weakness, allowing local escalation of privilege to SYSTEM! REMEDIATION: ~~~~~~~~~~~~ 1. Interactive In an already and running installed system, create the directory "%SystemRoot%\System32\Config\SystemProfile\AppData\Local\Temp\", then run SystemPropertiesAdvanced.exe and set the environment variables per GUI to the value %USERPROFILE%\AppData\Local\Temp 2. Unattended Write a batch script that creates the missing directory with one of the following (equivalent) command lines MKDIR "%SystemRoot%\System32\Config\SystemProfile\AppData\Local\Temp" MKDIR "%USERPROFILE%\AppData\Local\Temp" MKDIR "%LOCALAPPDATA%\Temp" and sets the system environment variables TEMP and TMP, for example per SETX.exe /M TEMP ^%USERPROFILE^%\AppData\Local\Temp SETX.exe /M TMP ^%USERPROFILE^%\AppData\Local\Temp or per REG.exe ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment" /V TEMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Temp /F REG.exe ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment" /V TMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Temp /F Deploy this script on your Windows installation media as \sources\$OEM$\$$\Setup\Scripts\SetupComplete.cmd, or specify your $OEM$\ directory with this script in the command line of Windows' installation program: SETUP.exe /M="" stay tuned, and far away from (not just Microsoft's) poorly implemented crap Stefan Kanthak