An Easy Way to Fix Windows Errors

As if the nightmare of Windows, which doesn’t haunt all of our inkjet printers, was enough…

…here is another bug, one released by Microsoft 20 07/07/2021, which may reveal important secrets of the Windows Registry.

This virus, variously labeled CVE-2021-36934, has led to the nicknames HiveNightmare and SeriousSAM.

The name of the game HiveNightmare comes from the fact that many Windows systems store registry data in a small number of proprietary database clips called hives or hive files in Microsoft jargon.

These files include three SAM files, also known as SECURITY and SYSTEM, which together contain important data including passwords, passwords, and the security of ordinary users should not have access to it.

They are stored in a special and supposedly safe folder in the Windows directory named C:\Windows\System32\config, as you can see here:

C:\Windows\System32\config> directory
[. . .]
Directory C:\Windows\System32\config
[. . .]
07/21/2021 12:57 524 288 BBI
06/25/2021 Model 06:21 28,672 BCD
21.07.2021 14:45 768 32 COMPONENTS
21 000.07.2021 12:57 786.432 MALFUNCTION
21.07.2021 12:32 194 4 304 DRIVERS
[. . .]
07/21/2021 12:57 65.SAM 536 <--some systems contain 21.07.2021 12:57 32.768 SECURITY SECRETS <--some included 07.21.2021 12:57 87.556.096 SOFTWARE 07/21/2021 11 12:57 272 192 SYSTEM <- some system factors included [. . .]

The name SeriousSAM comes from the filename SAM, which is short for Security for Account Manager, a name that sounds like the contents of the file are serious.P>


you have ever used password crackers or hacking tools (or found them on your network shortly after an active attack was discovered), rest assured that the SAM database is secure. get administrator credentials for browsing network.

Fortunately, you already need administrator access to view the SAM data in the storage area, and you cannot get the SAM registry hive to disk while Windows is running, even if you are an administrator, because the SAM data is displayed above. blocked for use by the operating system only.

Who Can See What?

We have written something like a little C program that you should definitely use get for “accessibility meter” for each file in – it just tries to open the filename or public filenames that you have added Command Prompt and Windows to. information about the error code, our when the file cannot be opened for reading.

(The code below is public, so anyone can do whatever they want with it, but use it at your own risk.)

You don’t even need the Windows header files to put them together; Just tell your compiler or linker which kernel32.dll and msvcrt.dll they need:

/* SET —.C */

Void — *CreateFileA(char *name,unsigned mode,unsigned share,void *sec,unsigned disp,unsigned attr,void *tmpl);
int CloseHandle * (empty hnd);
printf no GetLastError(void);
signed int(char *fmt, …);

int argc, main(int char **argv)
for (int i equals 1; i < argc; i++) printf("Open database [%s]\n",argv[i]); void *hnd = CreateFileA(argv[i],0x80000000L,0,0,3,0x80,0); in cases where ((longint)hnd == -1) printf("Error (GetLastError=0x%08X)\n",GetLastError()); different printf("Worked Int)hnd); (handle=%ld)\n",(long CloseHandle(hnd); page is 0 again;

From an elevated shortcut command (i.e. run as administrator) we get the following output:

C:\Users\duck>chkit C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY
Open c:\windows\system32\config\system file [C:\Windows\System32\config\SAM]
Error (GetLastError=0x00000020)
Open the file [C:\Windows\System32\config\SYSTEM]
Error (GetLastError=0x00000020)
Open the file [C:\Windows\System32\config\SECURITY]
Error 0x20 (getlasterror=0x00000020)

The error means ERROR_SHARING_VIOLATION, legally described by Microsoft as “The process does not have permission to access the file because it is being used by another process”.

Let’s repeat from a non-elevated Rapid team where we’re running as a temporary chkit user:

C:\Users\duck > open c:\windows\system32\config\sam
File (GetLastError=0x00000020)

We are [c:\windows\system32\config\sam]
failed, error 0x05 should have popped up immediately, compact for an explicit ERROR_ACCESS_DENIED.

Error 0x20 means support had a choice when opening the file and at the time it failed rather than looking stuck even when trying to open the file in the correct location.

And if we look, for example, at the ACL (Access Control List) for the SAM hive file, usually with the ICACLS utility, we can see that all this behavior is due to a security vulnerability: /p>

config\SAM icacls BUILT-IN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX) <-- this is incorrect - consumer users should not have access to analytics! APP PACKAGE AUTHORITY / ALL app packages: (i) (rx) APP PACKAGE PERMISSION\ALL APP PACKAGES LIMITED:(I)(RX) Files processed successfully; 1 Unable to save 0 files

In other words, the data in the SAM registry (and the files in the SECURITY and hence the SYSTEM hive) are protected from power user access at runtime because the files are used in a different place, and not because transmission to ordinary users is prohibited from the very beginning.

We need to fix this vulnerability. Microsoft’s official workaround is also to restrict access control databases (ACLs) to everything and, in the following sections, to the CONFIG directory. Required

You must be an administrator and change the security ICACLs used:

C:\Users\duck>%windir%\system32\config\*.* /inheritance:e
processed music file: C:\Windows\system32\config\BBI
[. . .]
processed file: C:\Windows\system32\config\SAM
[. . .]
processed th file: C:\Windows\system32\config\SECURITY
[. . .]
processed registry: C:\Windows\system32\config\SYSTEM
[. . .Contract]
successfully 42 files; File processing error 0

Now the ACL for the SAM file we both checked above looks much healthier:


1 files processed successfully; File processing error 0

While we try to re-open the active SAM registry hive file from a non-admin command prompt, we no longer encounter the 0x20 error.

We are now getting a clearly security related error 0x05 related to ACCESS_DENIED:

C:\Users\duck>chkit C:\Windows\System32\config\SAM
File opened (GetLastError=0x00000005)

Always [c:\windows\system32\config\sam]
Failure Not Done!

If your computer has a system restore point (also called volume shadow copies), these include point copies of your SAM, SECURITY, and SYSTEM< /code> - Hive machine with old and insecure access control settings file.

In other words, an unprivileged user canplace it to read executable data, e.g.

Of course, you can have one or more snapshots on your computer, unless you yourself went to the general system protection menu and went to