Environment… is variable

I love environmental variables. They are often post-worthy, and sometimes they are just simply cool.

Yet, many are still not known. Many are still not described.

Looking for ‘easy’ research targets inside the Windows directory one can scan executables and DLLs looking for either a string or an import reference to the functions that operate on Environment variables:

  • RtlSetEnvironmentVariable
  • setenv
  • SetEnvironmentVariable
  • GetEnv
  • GetEnvironmentVariable
  • ExpandEnvironment

These produce really interesting hits!

Looking at the code of puiobj.dll (PrintUI Objects DLL) we can find a weirdly named environment variable F2ED815E-5F18-4860-A8F2-16471D53C5CF that takes a integer value that seems to be a flag controlling how printer queue jobs are presented.

Looking at curl.exe we see the familiar CURL_HOME reference that can alter the way curl works (configuration file location).

The xcopy.exe takes into consideration the value of COPYCMD.

In 2022 no one remembers mswsock.dll, but it also uses environment variables:

  • SanTcpBypass
  • SanResizeDisable
  • SanRecvPollCount

The same goes for oleaut32.dll:

Many of environment variable tricks are known by now. Today I posted on Twitter and Mastodon about the use of environment variables inside the LNK files which — while not really being a proper evasion since the shell functions are processed within a context of executing process — may give some new opportunities to attackers too.

But there is always more…

Environment variables are very, very prevalent and all over the place. Many of them are kinda invisible, f.ex. many batch files and the aforementioned LNK files rely a lot them, and many of them are batch-file specific, often used internally and not very well documented.

Here’s a snapshot of various environment variables (many of which are not very well known, I think) present inside the LNK and BAT files on a win10 system with a Visual Studio, Bon Jour, NPCAP, Powershell and Python present:

  • %ARGS%
  • %AUT%
  • %AUTDIR%
  • %CABOUTPUT%
  • %CD%
  • %CLIENTPATH%
  • %CRT%
  • %CURRDIR%
  • %CabOutput%
  • %CommandPromptType%
  • %CommonProgramFiles%
  • %DEVENVDIR%
  • %DIR%
  • %DIRECTIVEFILE%
  • %DevEnvDir%
  • %DoDump%
  • %Dot11Support%
  • %ERRORLEVEL%
  • %ExtensionSDKDir%
  • %FSHARPINSTALLDIR%
  • %Framework40Version%
  • %FrameworkDIR32%
  • %FrameworkDIR64%
  • %FrameworkDir%
  • %FrameworkDir32%
  • %FrameworkDir64%
  • %FrameworkVersion%
  • %FrameworkVersion32%
  • %FrameworkVersion64%
  • %HOMEDRIVE%
  • %HOMEPATH%
  • %IFCPATH%
  • %INCLUDE%
  • %KEY_NAME%
  • %LEGACY_MACHINE_SETUP_LOGS_PATH%
  • %LIB%
  • %LIBPATH%
  • %LOCALAPPDATA%
  • %LoopbackAdapter%
  • %MACHINE_AMD64_SETUP_LOGS_PATH%
  • %MACHINE_I386_SETUP_LOGS_PATH%
  • %NETFXSDKDir%
  • %NPCAP_DIR%
  • %OUTPUTDIR%
  • %OutputDir%
  • %PATH%
  • %PERMACHINECLIENTPATH64%
  • %PERMACHINECLIENTPATH86%
  • %PERMACHINE_START_MENU_PATH%
  • %PERUSER_START_MENU_PATH%
  • %PROCESSOR_ARCHITECTURE%
  • %PROGRAMDATA%
  • %PROMPT%
  • %PYTHONHOME%
  • %ProgramFiles%
  • %ProgramW6432%
  • %RANDOM%
  • %RETURNCODE%
  • %SDK%
  • %SENDMAIL%
  • %SID%
  • %SQUISHRUNNER%
  • %SQUISHSERVER%
  • %START_TYPE%
  • %ScriptName%
  • %SendMail%
  • %SyncLogsExclude%
  • %SyncSettingsExclude%
  • %SystemRoot%
  • %TARGET%
  • %TEMP%
  • %TEMPFILE%
  • %TESTCASE%
  • %TESTSUITE%
  • %TEST_INCLUDE%
  • %TEST_LIB%
  • %TMP%
  • %UCRTVersion%
  • %USERPROFILE%
  • %UniversalCRTSdkDir%
  • %VCIDEInstallDir%
  • %VCINSTALLDIR%
  • %VCLIB_GENERAL_OVERRIDE%
  • %VCToolsInstallDir%
  • %VCToolsVersion%
  • %VCVARS_USER_VERSION%
  • %VC_ATLMFC_IncludePath%
  • %VC_ExecutablePath_ARM_ARM%
  • %VC_ExecutablePath_ARM_ARM64%
  • %VC_ExecutablePath_ARM_x64%
  • %VC_ExecutablePath_ARM_x86%
  • %VC_ExecutablePath_x64_ARM%
  • %VC_ExecutablePath_x64_ARM64%
  • %VC_ExecutablePath_x64_x64%
  • %VC_ExecutablePath_x64_x86%
  • %VC_ExecutablePath_x86_ARM%
  • %VC_ExecutablePath_x86_ARM64%
  • %VC_ExecutablePath_x86_x64%
  • %VC_ExecutablePath_x86_x86%
  • %VC_IFCPath%
  • %VC_LibraryPath_ATL_ARM%
  • %VC_LibraryPath_ATL_ARM64%
  • %VC_LibraryPath_ATL_ARM64EC%
  • %VC_LibraryPath_ATL_ARM64EC_spectre%
  • %VC_LibraryPath_ATL_ARM64_spectre%
  • %VC_LibraryPath_ATL_ARM_spectre%
  • %VC_LibraryPath_ATL_x64%
  • %VC_LibraryPath_ATL_x64_spectre%
  • %VC_LibraryPath_ATL_x86%
  • %VC_LibraryPath_ATL_x86_spectre%
  • %VC_LibraryPath_VC_ARM%
  • %VC_LibraryPath_VC_ARM64%
  • %VC_LibraryPath_VC_ARM64EC%
  • %VC_LibraryPath_VC_ARM64EC_Desktop%
  • %VC_LibraryPath_VC_ARM64EC_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM64EC_OneCore%
  • %VC_LibraryPath_VC_ARM64EC_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM64EC_Store%
  • %VC_LibraryPath_VC_ARM64_Desktop%
  • %VC_LibraryPath_VC_ARM64_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM64_OneCore%
  • %VC_LibraryPath_VC_ARM64_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM64_Store%
  • %VC_LibraryPath_VC_ARM_Desktop%
  • %VC_LibraryPath_VC_ARM_Desktop_spectre%
  • %VC_LibraryPath_VC_ARM_OneCore%
  • %VC_LibraryPath_VC_ARM_OneCore_spectre%
  • %VC_LibraryPath_VC_ARM_Store%
  • %VC_LibraryPath_VC_x64%
  • %VC_LibraryPath_VC_x64_Desktop%
  • %VC_LibraryPath_VC_x64_Desktop_spectre%
  • %VC_LibraryPath_VC_x64_OneCore%
  • %VC_LibraryPath_VC_x64_OneCore_spectre%
  • %VC_LibraryPath_VC_x64_Store%
  • %VC_LibraryPath_VC_x86%
  • %VC_LibraryPath_VC_x86_Desktop%
  • %VC_LibraryPath_VC_x86_Desktop_spectre%
  • %VC_LibraryPath_VC_x86_OneCore%
  • %VC_LibraryPath_VC_x86_OneCore_spectre%
  • %VC_LibraryPath_VC_x86_Store%
  • %VC_VC_IncludePath%
  • %VIRTUAL_ENV%
  • %VS160COMNTOOLS%
  • %VSCMD_ARG_APP_PLAT%
  • %VSCMD_ARG_CHAMELEON%
  • %VSCMD_ARG_CLEAN_ENV%
  • %VSCMD_ARG_HELP%
  • %VSCMD_ARG_HOST_ARCH%
  • %VSCMD_ARG_NO_EXT%
  • %VSCMD_ARG_STARTDIR%
  • %VSCMD_ARG_TGT_ARCH%
  • %VSCMD_ARG_VCVARS_SPECTRE%
  • %VSCMD_ARG_VCVARS_VER%
  • %VSCMD_ARG_WINSDK%
  • %VSCMD_ARG_no_logo%
  • %VSCMD_BANNER_SHELL_NAME_ALT%
  • %VSCMD_BANNER_TEXT_ALT%
  • %VSCMD_DEBUG%
  • %VSCMD_SKIP_SENDTELEMETRY%
  • %VSCMD_START_DIR%
  • %VSCMD_TEST%
  • %VSCMD_VCVARSALL_INIT%
  • %VSCMD_VER%
  • %VSINSTALLDIR%
  • %WORKINGDIR%
  • %WORKINGDIRONEDRIVE%
  • %WindowsLibPath%
  • %WindowsSDKDir%
  • %WindowsSDKLibVersion%
  • %WindowsSDKNotFound%
  • %WindowsSDKVersion%
  • %WindowsSDK_ExecutablePath_x64%
  • %WindowsSDK_ExecutablePath_x86%
  • %WindowsSdkBinPath%
  • %WindowsSdkDir%
  • %WindowsSdkVerBinPath%
  • %cmd%
  • %computername%
  • %comspec%
  • %dir%
  • %errorlevel%
  • %findSDK%
  • %match%
  • %originPolicy%
  • %result%
  • %returnValue%
  • %scriptPath%
  • %systemroot%
  • %temp%
  • %windir%

A few more protocol handlers :)

Ug_0Security asked, and I am answering 🙂

Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one of the latest win11 builds; pretty sure some of them appeared in later versions of win10:

appinstaller.oauth2
grvopen
IE.HTTP
microsoft.windows.camera.multipicker
ms-calculator
ms-cortana2
ms-cxh-full
ms-device-enrollment2
ms-eyecontrolspeech
ms-gamebar
ms-insights
ms-meetnow
ms-meetnowflyout
ms-msime-imepad
ms-msime-imjpdct
ms-officecmd
ms-perception-simulation
ms-phone
ms-powerautomate
ms-print-addprinter
ms-print-printjobs
ms-rdx-document
ms-screenclip
ms-screensketch
ms-search
ms-teams
ms-to-do
ms-todo
ms-windows-store-deskext
ms-wxh
ms-xbet-survey
ms-xgpueject
msgamepass
msgamingapp
msnews
mssharepointclient
msxbox