\nControl Panel\\Legacy CPL Map<\/li>\n<\/ul>\n
By opening a number of CPL files and filtering procmon logs to focus on the ‘Legacy CPL Map’ keys only we can quickly confirm that anytime the .cpl file is launched, the system ‘talks’ to the Registry to check the respective ‘Legacy CPL Map’ setting for the applet:<\/p>\n
Each key represent the legacy setting for a given applet and can contain one of two values:<\/p>\n The first is a canonical name of the applet we wish to replace the legacy applet with (f.ex. could use ‘Microsoft.PowerOptions’). The name is then used by the IOpenControlPanel::Open<\/a> method to launch the mapped applet.<\/p>\n The second is just a command line that will be passed to ShellExecuteEx function.<\/p>\n Obviously, both can be abused.<\/p>\n Let’s have a look at the easy one – the ShellExecute.<\/p>\n The settings:<\/p>\n are being accessed when we click the ‘Additional Power Settings’ button under Settings\\Power & Sleep:<\/p>\n By setting this value to calc.exe, we will launch the Calculator anytime someone tries to launch these settings:<\/p>\n This is what procmon sees when we click the button:<\/p>\n Of course, relying on Power Options is probably not enough – some users don’t touch it all. But… There is plenty of other .cpl files to look at…<\/p>\n Another interesting feature: one could add ‘c:\\WINDOWS\\system32\\powercfg.cpl’, or any other .cpl to one of the standard Startup locations and it will never raise suspicion since it’s a Microsoft-signed binary. Once the Startup entry is launched, the calc.exe (or possible malware) will pop up!<\/p>\n","protected":false},"excerpt":{"rendered":" The need to test modules and the will to support legacy stuff have one thing in common – at least on Windows. These functions are heavily integrated with the system and both offer lots of various built-in mechanisms that can … Continue reading ![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/cplmap.png\")
<\/a>The keys stored underneath include names of the Control Panel applets, and can be CPL names (f.ex. main.cpl), canonical names<\/a> (f.ex.: Microsoft.PowerOptions, Microsoft.EaseOfAccessCenter), or DLLs (f.ex. ntvdmcpl.dll \/this is the one that actually led me to this discovery\/).<\/p>\n\n
\n
\nControl Panel\\Legacy CPL Map\\Microsoft.PowerOptions\\ShellExecute<\/li>\n<\/ul>\n![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/cplmap3-300x207.png\")
<\/a><\/p>\n![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/cplmap4-300x270.png\")
<\/a><\/p>\n![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/cplmap2-300x36.png\")
<\/a><\/p>\n\n