As part of an user experience the Event Viewer offers a clickable Event Log Online Help<\/em> link:<\/p>\n\n\n\n When the link is clicked, the mmc.exe <\/em>will open a default help Microsoft link which will be rendered by the currently set up (default) browser. <\/p>\n\n\n\n It turns out that the default setting of this feature can be changed. It is very nicely described here<\/a>, but the bottom line is that we can launch a program of our choice instead of the default browser; we just need to modify one, or more of the following registry entries:<\/p>\n\n\n\n The MicrosoftRedirectionURL <\/em>can be changed to e.g. file:\/\/c:\\windows\\system32\\notepad.exe<\/em>, or MicrosoftRedirectionProgram<\/em> can point to the executable directly. One can also tinker with the command line parameters e.g. in a combo with a lolbin.<\/p>\n\n\n\n There is one gotcha moment while setting up this thing – there exist Wow6432Node<\/em> equivalent for these entries, but they don’t seem to be usable; even if entries under this key are changed, and the Event Viewer is launched from a syswow64<\/em> directory (to enforce 32-bit version), the OS will still launch the proper 64-bit version anyway. Perhaps there is a way to enforce the 32-bit version to run, but I have not explored it<\/p>\n\n\n\n Also, we want to ensure the user is not asked for approval to send the data from the log to Microsoft (this dialog box shows up before the program is ran):<\/p>\n\n\n\n To do so, we just need to ensure this DWORD is changed to 0:<\/p>\n\n\n\n And that’s it. Plus, it’s time for a small bonus.<\/p>\n\n\n\n While I was playing around with Event Viewer, I noticed that it uses Richedit control to render the data it shows. One of the features of this control is that it is automatically recognizing URLs embedded inside the data. As such, it highlights them and make them clickable.<\/p>\n\n\n\n A malicious user could inject a malicious link pointing to a full path on a disk into the logs (e.g. if sysmon is logging, or 4688+cmd line logging is enabled), and then make the richedit convert this path into a clickable link. When I posted<\/a> this discovery on Twitter, it got immediately evilriched by Brent Muir<\/a>, who asked if it could be used as a privilege escalation. This was confirmed by me and Csaba Fitzl<\/a> in the same thread<\/a>. Thanks to everyone who chipped in on that thread.<\/p>\n","protected":false},"excerpt":{"rendered":" This is yet another feature of Windows. This time it is a configuration settings for Event Viewer. When you open the program via eventvr.exe\/msc it will launch the mmc.exe which in turn will load an Event Viewer snap-in. The Event … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/02\/eventviewer.png\")
<\/a><\/figure>\n\n\n\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\
CurrentVersion\\Event Viewer\\<\/pre>\n\n\n\n<\/a><\/figure>\n\n\n\nHKCU\\Software\\Microsoft\\Windows NT\\
CurrentVersion\\Event Viewer\\ConfirmUrl=0
<\/pre>\n\n\n\n