Shortcut to a shortcut to a shortcut...



  • This is going to be an interactive WTF. If you have Windows 7, you can follow along!

    First, test out the right-click Computer > Manage tool. Nice tool, lots of options... ok it works so close it.

    Right click the All Programs button in the Start Menu and click Open All Users. Then navigate to Programs > Administrator Tools. Rename or move the Computer Management tool. Try right clicking Computer and doing Manage again.

    Wait, nothing happens?

    Restore the Computer Management shortcut and try Computer > Manage again. It works this time.

    Is it doing what you think it's doing? Yes. Yes it is. And if the user wants to move or delete that shortcut? Yes, the Manage menu option breaks silently, and the user may never figure out what caused it.

    And it gets better!

    Further inspection reveals that the Manage option actually launches a separate program CompMgmtLauncher.exe. This program's sole purpose is life is to turn around and launch the aforementioned shortcut from the Start Menu using a hard coded path, then quit. The shortcut then finally fires up the actual Computer Management tool.

    So the Manage option is a shortcut to a shortcut to a shortcut to the Computer Management tool.

    Changing the registry entry for Manage to point to "mmc.exe compmgmt.msc" seems to work perfectly. If there's a reason for the additional levels of indirection, other than incompetence, I don't see it.



  •  That's just... wow.

     The Manage option has a little UAC icon next to it.  Is it possible that has something to do with it?  (I don't know much about how UAC works...)



  • Yep, "Computer Management.lnk" is hardcoded into compmgmtlauncher.exe on Windows 7. But on Vista it used to be "compmgmt.msc".

    But why was this change done? Who knows, maybe to make it easier to change the management utility.



  • Oh it's still (ultimately) compmgmt.msc on 7.

    I think I know why CompMgmtLauncher.exe is used. It is so that if UAC is set on the most restrictive setting, the UAC dialog that appears will specifically mention Computer Management instead of just the Microsoft Management Console. So CompMgmtLauncher is a UAC elevate tool (it's not NECESSARY though). Either way it doesn't justify the weird behavior of CompMgmtLanucher looking for that shortcut...



  • @The MAZZTer said:

    I think I know why CompMgmtLauncher.exe is used. It is so that if UAC is set on the most restrictive setting, the UAC dialog that appears will specifically mention Computer Management instead of just the Microsoft Management Console.

    /me slaps forehead.

    I wonder what thought process was involved.

    "Hey, let's let the user start the manage tool from Computer context menu." - "Why?" - "Dunno." - "Okay, sounds great. But how do we do that?" - "Well, we already have a link to that tool on the start menu, let's just start that link." - "Why?" - "Convenience." - "Right, but what if that link gets deleted?" - "Won't, it's in all users folder. No one ever goes there." - "Yeah, you're right."

    • Vista release -

      "Hey, there's a bug with the manage tool." - "What's it?" - "A user complained he can't start it." - "He didn't delete the shortcut, did he?" - "Haha, good one! No, of course not." - "Then what happens?" - "He clicked the entry in the popup menu and it doesn't start. Instead, a dialog pops up which asks him if he really wanted to start something called Microsoft Management Console." - "Yeah, because that's what he's doing." - "I know, but he doesn't." - "Is he stupid?" - "Pretty much." - "Then why does he run the manage tool in the first place?" - "Because it's there. He probably won't be able to use it, and just ignore it once he's seen it, but he still wants to see it." - "Oh, right. Why did we put that context menu entry there?" - "I think we didn't really think this through." - "Probably. No way to remove it now though. People will be pissed." - "Yeah. But I have an idea." - "Speak." - "We could make a launcher that does nothing but start the link from the start menu, so the confirmation thingy will show computer management instead of mmc." - "Sounds brillant. Let's do that." - "Kay."


  •  Sounds a bit like this video blog from Microchip: http://www.youtube.com/watch?v=3YUvlrVlNao



  • @derula said:

    - Vista release -

    ... "We could make a launcher that does nothing but start the link from the start menu, so the confirmation thingy will show computer management instead of mmc." - "Sounds brillant. Let's do that." - "Kay."

    Except that in Vista it did not start the shortcut, that was changed in Windows 7. In Vista it started mmc.exe.

    Maybe they were supposed to change the shortcut to point to the launcher program, but the guy who was tasked with it did it the other way around. "I'll fix it when I get back from the pub!"



  • My lnk is named 'Computerverwaltung' (german).
    I changed it to aComputerverwaltung, then back to Computerverwaltung. The contextmenu entry still doesn't work.
    I had to change it to 'Computer Management', but I don't see the new name, as it is hidden and always shown as 'Computerverwaltung'.
    This kind of multilanguage support is very confusing.



  • @SysLord said:

    My lnk is named 'Computerverwaltung' (german).
    I changed it to aComputerverwaltung, then back to Computerverwaltung. The contextmenu entry still doesn't work.
    I had to change it to 'Computer Management', but I don't see the new name, as it is hidden and always shown as 'Computerverwaltung'.
    This kind of multilanguage support is very confusing.

    Intriguing. And confusing indeed. What the hell, Microsoft?



  • This sounds like an intriguing permissions-elevation exploit waiting to happen.   What if you replace the Computer Management shortcut with a shortcut to something else?   When you right-click Computer -> Manage tool, will it still give you the UAC with the title of "Computer Management"?  Aaand then will it arbitrarily execute your shortcut with higher permissions?

    (I don't have any fancy Windows computers to test this out with, so I'm not even sure if what I suggested makes sense.)



  • @Xyro said:

    This sounds like an intriguing permissions-elevation exploit waiting to happen.   What if you replace the Computer Management shortcut with a shortcut to something else?   When you right-click Computer -> Manage tool, will it still give you the UAC with the title of "Computer Management"?  Aaand then will it arbitrarily execute your shortcut with higher permissions?

    (I don't have any fancy Windows computers to test this out with, so I'm not even sure if what I suggested makes sense.)

     

    It sounds like the shortcut in question is in the All Users directory, which should only be modifiable by a user who has administrator privileges anyway.



  • @Xyro said:

    This sounds like an intriguing permissions-elevation exploit waiting to happen.   What if you replace the Computer Management shortcut with a shortcut to something else?   When you right-click Computer -> Manage tool, will it still give you the UAC with the title of "Computer Management"?  Aaand then will it arbitrarily execute your shortcut with higher permissions?

    (I don't have any fancy Windows computers to test this out with, so I'm not even sure if what I suggested makes sense.)

     

    Good point, but I think MMC control panels are code-signed...

    In any case, it's not like Joe Six-pack frequently uses, or even knows about, the Computer Management control panel in the first place. Even if you could replace it, what would be the point if the user won't run it? (Not that I'm suggesting Microsoft shouldn't patch this issue if it exists, just pointing out that it might not be a valuable exploit to the bad guys.)



  • @Tyler said:

    @Xyro said:

    This sounds like an intriguing permissions-elevation exploit waiting to happen.   What if you replace the Computer Management shortcut with a shortcut to something else?   When you right-click Computer -> Manage tool, will it still give you the UAC with the title of "Computer Management"?  Aaand then will it arbitrarily execute your shortcut with higher permissions?

    (I don't have any fancy Windows computers to test this out with, so I'm not even sure if what I suggested makes sense.)

     

    It sounds like the shortcut in question is in the All Users directory, which should only be modifiable by a user who has administrator privileges anyway.

    AKA "It rather involved being on the other side of this airtight hatchway".
    Not a security issue.



  • @blakeyrat said:

    @Xyro said:

    This sounds like an intriguing permissions-elevation exploit waiting to happen.   What if you replace the Computer Management shortcut with a shortcut to something else?   When you right-click Computer -> Manage tool, will it still give you the UAC with the title of "Computer Management"?  Aaand then will it arbitrarily execute your shortcut with higher permissions?

    (I don't have any fancy Windows computers to test this out with, so I'm not even sure if what I suggested makes sense.)

    Good point, but I think MMC control panels are code-signed...

    In any case, it's not like Joe Six-pack frequently uses, or even knows about, the Computer Management control panel in the first place.

    However, Joe six pack does have the habit of just clicking "allow" on the UAC popup.


Log in to reply