A few days ago I needed to test a few things on a Windows XP Workstation running under a regular user account.

I wanted to verify if some files and registry keys existed but Group Policies were in place that denied me access to the command prompt and regedit.

While this may be a good thought to secure the pc it is not very convenient if you need to verify some settings.

For that purpose I created patched versions of the Windows Server 2003 command prompt and regedit utilities.

They are patched to ignore the Group Policy settings and I usually place them in some share, secured by NTFS permissions.

You can read about it in my post: Registry editing has been disabled by your administrator (not anymore!).

However due to kernel differences you cannot use the Windows 2003 cmd.exe on Windows XP (you can do it the other way round btw). So I decided to create a patched version of the XP version as well.

I thought it might be interesting to show you how it’s done so here we go:

First we open up cmd.exe in Ida Pro:

On the first screen you can accept the defaults:

image

Wait until the Auto Analyses has finished, this may take a little while:

image

Now go to the Functions Window and sort on Function name and look for any functions that may have something to do with the policy check.

Or use the Search function (ALT-T) like I did:

image

The first and only hit is a function Called GetCmdPolicy which sounds like what we need. DoubleClick on the function name to go to the Disassembly:

We can quickly see that this code is opening the Policies key:

image

And in the next block we can see that the DisableCMD value is checked:

image

Now we will patch this function to return 0 which will make it always start, regardless of the value of the DisableCMD value.

Press the Space Bar to go to Ida’s Flat View and note down the Address of this function:

image

Now we are going to use a Hex Editor to create the Patch.

I use Hiew in this example because it can Disassemble and Assemble so it’s a very convenient tool for this purpose.

Open cmd.exe in Hiew and press F4 to change the Mode to Decode:

image

Press F5 (Goto) and enter a dot (.) and the Address from Ida:

image

Now we see the same Disassembly as in Ida:

image

Now Press F3 to go to Edit Mode, followed by F2 to Select Assembly mode.

In the window that appears change mov edi,edi to mov eax,0 and press Enter:

image

Then change push ecx to ret 4 and press Enter:

image

Press Escape to Exit the Edit mode, we have now made the following changes:

image

Finally press F9 to save the changes and F10 to quit and we’re done!

And for the Lazy People the patched cmd.exe can be downloaded, usage is at your own risk:

Patched XP Command Prompt (2529 downloads )