mirror of https://github.com/microsoft/PowerToys.git synced 2026-04-03 09:46:54 +02:00

Files

Kai Tao 87b24afa23 Security: Fix Local privilege escalation via DLL hijack (#46145 )

<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
Attack vector:
1. user install per machine installer
2. Open an elevated command prompt and verify the newly added PowerToys
PATH entry
3. Inspect the ACL on the DSCModules directory an observe that the
"Authenticated Users" group have inherited Modify permissions
4. Log in as a low-privileged (non-admin) user and confirm that you can
create or modify files in C:\\PowerToys\\DSCModules\. This confirms that
a non-admin user can plant arbitrary DLLs in a system PATH directory.
5. The attacker identifies a DLL that a privileged process (e.g., a
system service or an application running as a different,
higher-privileged user) attempts to load via the standard DLL search
order. The attacker crafts a malicious DLL with the same name and places
it in C:\\PowerToys\\DSCModules.

The fix is to:
* Hardening the PowerToys DSC directory for per-machine custom installs
with correct ACL enforced with wix.

<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist

- [ ] Closes: #xxx
<!-- - [ ] Closes: #yyy (add separate lines for additional resolved
issues) -->
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx

<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments

<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed

<img width="836" height="449" alt="image"
src="https://github.com/user-attachments/assets/f21a814c-6514-4a86-b214-0984653aaab4"
/>


After upgrade, the ACL:

Path : Microsoft.PowerShell.Core\FileSystem::C:\apps\Power
Toys\DSCModules
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  :
Sddl :
O:SYG:SYD:P(A;OICIIO;GA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

2026-03-17 11:27:57 +08:00

allow

CmdPal: Add a dock (#45824 )

2026-02-27 13:24:23 +00:00

advice.md

[ci]check-spelling 0.0.22 (#29119 )

2023-11-02 17:16:29 +00:00

candidate.patterns

CmdPal: GEH per partes; part 1: error report builder, sanitizer and internals tools setting page (#44140 )

2026-01-28 21:09:37 -06:00

excludes.txt

CmdPal: Removing Core projects (#45693 )

2026-02-23 06:05:09 -06:00

expect.txt

Security: Fix Local privilege escalation via DLL hijack (#46145 )

2026-03-17 11:27:57 +08:00

line_forbidden.patterns

Updates for check-spelling v0.0.25 (#40386 )

2025-07-08 17:16:52 -05:00

patterns.txt

[Cursor Wrap] Update edge wrap model, update simulator, add cursor logging, add settings support to ModuleLoader (#45915 )

2026-03-04 13:56:32 +00:00

README.md

Check spelling 0 0 21 (#22335 )

2022-11-29 11:41:22 -08:00

reject.txt

Updates for check-spelling v0.0.25 (#40386 )

2025-07-08 17:16:52 -05:00

README.md

check-spelling/check-spelling configuration

File	Purpose	Format	Info
allow.txt	Add words to the dictionary	one word per line (only letters and `'`s allowed)	allow
reject.txt	Remove words from the dictionary (after allow)	grep pattern matching whole dictionary words	reject
excludes.txt	Files to ignore entirely	perl regular expression	excludes
only.txt	Only check matching files (applied after excludes)	perl regular expression	only
patterns.txt	Patterns to ignore from checked lines	perl regular expression (order matters, first match wins)	patterns
candidate.patterns	Patterns that might be worth adding to patterns.txt	perl regular expression with optional comment block introductions (all matches will be suggested)	candidates
line_forbidden.patterns	Patterns to flag in checked lines	perl regular expression (order matters, first match wins)	patterns
expect.txt	Expected words that aren't in the dictionary	one word per line (sorted, alphabetically)	expect
advice.md	Supplement for GitHub comment when unrecognized words are found	GitHub Markdown	advice

Note: you can replace any of these files with a directory by the same name (minus the suffix) and then include multiple files inside that directory (with that suffix) to merge multiple files together.