Author Archives: adam

little secret of msconfig.exe

Posted on by

This post doesn’t include anything ground breaking, but is just yet another attempt to describe/document less-known command line arguments of many known, often native to the platform, Windows programs.

When you launch msconfig.exe it shows a well-known configuration dialog box:

It turns out the program accepts less-known command line arguments f.ex.:

  • -/auto
  • -/basic – seems to be selecting some GUI controls on UI, but need to explore more
  • -/commit <number> – where <number> is a tab on the GUI shown above
  • 1 = General
    • no action is taken
  • 2 = Boot
  • 3 = Services
  • 4 = Startup

All these options make the program write some Registry settings that don’t seem to be too important per se.

For example, 

msconfig /commit 2

writes

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\state\bootini = 0

to Registry. It’s not really that interesting.

Still, worth documenting.

1 little known secret of forfiles.exe, part 2

Posted on by

In this old post I have demonstrated how to abuse forfiles.exe to run your ‘cmd.exe’ of choice.

There is one more trick we can do with this tool.

When forfiles.exe enumerates the files it executes a default command cmd /c echo @file. It turns out that the execution of this command expands environment variables as well…

So…

If we create a file called %foo%, and make sure that there is an environmental variable called foo, we can now control the cmd /c echo @file command and force it to do some unusual stuff.

For example:

  • create a file called %foo%
  • set foo to “&calc.exe&”
  • run forfiles

– it will enumerate files in a directory, print their names, and when it will come across the %foo% file, it will also … execute calculator…

This happens because cmd /c echo @file gets expanded to cmd /c echo %foo% which in turn will be executed as “echo “&calc.exe&”“.