From 87b24afa235b8f7e2dff563c84496a8387fbb163 Mon Sep 17 00:00:00 2001
From: Kai Tao <69313318+vanzue@users.noreply.github.com>
Date: Tue, 17 Mar 2026 11:27:57 +0800
Subject: [PATCH] Security: Fix Local privilege escalation via DLL hijack
 (#46145)

<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
Attack vector:
1. user install per machine installer
2. Open an elevated command prompt and verify the newly added PowerToys
PATH entry
3. Inspect the ACL on the DSCModules directory an observe that the
"Authenticated Users" group have inherited Modify permissions
4. Log in as a low-privileged (non-admin) user and confirm that you can
create or modify files in C:\\PowerToys\\DSCModules\. This confirms that
a non-admin user can plant arbitrary DLLs in a system PATH directory.
5. The attacker identifies a DLL that a privileged process (e.g., a
system service or an application running as a different,
higher-privileged user) attempts to load via the standard DLL search
order. The attacker crafts a malicious DLL with the same name and places
it in C:\\PowerToys\\DSCModules.

The fix is to:
* Hardening the PowerToys DSC directory for per-machine custom installs
with correct ACL enforced with wix.

<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist

- [ ] Closes: #xxx
<!-- - [ ] Closes: #yyy (add separate lines for additional resolved
issues) -->
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx

<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments

<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed

<img width="836" height="449" alt="image"
src="https://github.com/user-attachments/assets/f21a814c-6514-4a86-b214-0984653aaab4"
/>


After upgrade, the ACL:

Path : Microsoft.PowerShell.Core\FileSystem::C:\apps\Power
Toys\DSCModules
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  :
Sddl :
O:SYG:SYD:P(A;OICIIO;GA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .github/actions/spell-check/expect.txt         |  9 +++++----
 installer/PowerToysSetupVNext/DscResources.wxs | 10 ++++++++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index 2a5185c79b..da93694080 100644
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -528,6 +528,7 @@ GPOCA
 gpp
 gpu
 gradians
+GRGX
 GSM
 gtm
 guiddata
@@ -715,7 +716,6 @@ jpnime
 Jsons
 jsonval
 jxr
-kbmcontrols
 keybd
 KEYBDDATA
 KEYBDINPUT
@@ -862,7 +862,6 @@ Metacharacter
 metafile
 metapackage
 mfc
-mfalse
 Mgmt
 Microwaved
 midl
@@ -924,7 +923,6 @@ mstsc
 msvcp
 MT
 MTND
-mtrue
 MULTIPLEUSE
 multizone
 muxc
@@ -1048,6 +1046,8 @@ OEMCONVERT
 officehubintl
 OFN
 ofs
+OICI
+OICIIO
 oldcolor
 olditem
 oldpath
@@ -1081,6 +1081,7 @@ Packagemanager
 PACL
 padx
 pady
+PAI
 PAINTSTRUCT
 PALETTEWINDOW
 PARENTNOTIFY
@@ -1345,7 +1346,7 @@ SCREENFONTS
 screensaver
 screenshots
 scrollviewer
-SDDL
+sddl
 SDKDDK
 sdns
 searchterm
diff --git a/installer/PowerToysSetupVNext/DscResources.wxs b/installer/PowerToysSetupVNext/DscResources.wxs
index 2c08253229..0a3123c3a9 100644
--- a/installer/PowerToysSetupVNext/DscResources.wxs
+++ b/installer/PowerToysSetupVNext/DscResources.wxs
@@ -22,6 +22,16 @@
 
     <ComponentGroup Id="DscResourcesComponentGroup">
       <ComponentRef Id="PowerToysDSCReference" />
+      <?if $(var.PerUser) = "false" ?>
+      <Component Id="SecureDSCModulesFolder" Guid="7D2F4E57-CCB2-4F89-9B8B-62E9B3CC4E12" Directory="DSCModulesReferenceFolder" Bitness="always64">
+        <RegistryKey Root="$(var.RegistryScope)" Key="Software\Classes\powertoys\components">
+          <RegistryValue Type="string" Name="SecureDSCModulesFolder" Value="" KeyPath="yes" />
+        </RegistryKey>
+        <CreateFolder>
+          <PermissionEx Sddl="D:PAI(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GRGX;;;BU)(A;OICIIO;GA;;;CO)" />
+        </CreateFolder>
+      </Component>
+      <?endif?>
       <Component Id="RemoveDSCModulesFolder" Guid="A3C77D92-4E97-4C1A-9F2E-8B3C5D6E7F80" Directory="DSCModulesReferenceFolder">
         <RegistryKey Root="$(var.RegistryScope)" Key="Software\Classes\powertoys\components">
           <RegistryValue Type="string" Name="RemoveDSCModulesFolder" Value="" KeyPath="yes" />