Windows XP Professional System Restore files from unauthorized access local user

  
relates to a program: Windows XP Professional Description: Windows XP Professional system restore files can be a local user of illegal access details: Windows XP Professional (Gold) System Recovery (System Restore) files due Lack of proper protection of NTFS ACLs, which can be exploited by local attackers to gain unauthorized access to system sensitive information. Windows XP Professional (Gold) System Restore files are stored in the "System Volume Information" directory. Because this directory is protected by ACLs, normal users usually cannot access system recovery files. However, the system recovery directory itself and its subdirectories are not protected by the NTFS ACL, so that any local user can illegally access the system recovery file as long as it can specify the path of the subdirectory, so that the sensitive information of the system is leaked. Typically, if the user following the instruction execution can be found in a system recovery path to the directory: c: \\ & gt; reg query "HKLM \\ System \\ CurrentControlSet \\ Control \\ BackupRestore \\ FilesNotToBackup" /v "System Restore" and then use the CD command to enter the directory: c: \\ & gt; cd \\ System Volume Information \\ _restore {8716531F-212F-45F1-8BAA- FB69F0C7FAEF} at this point in the recovery directory, you will find register containing hive called "snapshot" directory: _REGISTRY_MacHINE_SAM _REGISTRY_MacHINE_SECURITY _REGISTRY_MacHINE_SOFTWARE _REGISTRY_MacHINE_SYSTEM _REGISTRY_USER_ .DEFAULT _REGISTRY_USER_NTUSER_S-1-5-18 ..... These hive files are illegally accessible by every local user. A malicious local user will likely modify SOFTWARE hive and the changes will work once the administrator has run the system recovery file. Windows XP with SP1 installed is not affected by this defect. Attack: In general, if the user following the instruction execution can be found in a system recovery path to the directory: c: \\ & gt; reg query "HKLM \\ System \\ CurrentControlSet \\ Control \\ BackupRestore \\ FilesNotToBackup" /v "System Restore" and then use the CD command into the the directory: c: \\ & gt; cd \\ System Volume Information \\ _restore {8716531F-212F-45F1-8BAA- FB69F0C7FAEF} at this point in the recovery directory, you will find register containing hive called "snapshot" directory: _REGISTRY_MacHINE_SAM _REGISTRY_MacHINE_SECURITY _REGISTRY_MacHINE_SOFTWARE _REGISTRY_MacHINE_SYSTEM _REGISTRY_USER_.DEFAULT _REGISTRY_USER_NTUSER_S-1-5-18 ..... These hive files are illegally accessible by every local user. A malicious local user will likely modify SOFTWARE hive and the changes will work once the administrator has run the system recovery file. Solution: It is recommended impacted by this defect Windows XP Professional users to download and install SP1 http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.ASP additional information now: None
Copyright © Windows knowledge All Rights Reserved