JSI Tip 2907. Placing a program named Explorer.exe in the C: root can replace the shell?

Contrary to the Windows 2000 documentation, during startup, a path search first starts with the C: root.

Any user could copy a program, named Explorer.exe, to the C: root, and it would be run instead of the shell, which is invoked via the following registry value:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonShell

NOTE: The Shell value contains the Explorer.exe string. If the string included the full path to Explorer.exe, C:WinNTExplorer.exe by default, this behavior would not happen.

Microsoft has released a hotfix to correct this vurnerability, which will probably be included in SP2. If you want it now, download Q269049_w2k_sp2_x86_en.exe.

The English version of this fix should have the following file attributes or later:

   Date      Time    Size     File name   ---------------------------------------   07/18/00  05:07p  331,536  Msgina.dll   07/18/00  05:07p   17,680  Userinit.exe 

For Windows NT 4.0, the fix is at

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360.

NOTE: Select Intel or Alpha.

The English version of this fix should have the following file attributes or later:

   Date      Time    Size     File name   Platform   -----------------------------------------------   07/18/00  07:27p  124,176  Msgina.dll  Intel   07/18/00  07:25p  160,528  Msgina.dll  Alpha 

For Windows NT Server 4.0, Terminal Server Edition, the fix is at

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23421.

NOTE: Select Intel, Q269049i.EXE, or Alpha, Q269049a.EXE.

The English version of this fix should have the following file attributes or later:

   Date      Time    Size     File name   Platform   -----------------------------------------------   07/18/00  07:22p  207,120  Msgina.dll  Intel   07/18/00  07:08p  259,344  Msgina.dll  Alpha