Windows Confidential: Power to the Power User
The line between a power user and a full-on administrator is a thin line indeed.
A power user is just an administrator who doesn’t realize it yet. They’re just a couple of simple steps away.
The Power Users security group was part of the initial release of Windows NT. The idea behind this was to give users enough power so they could use Windows NT in a similar manner to how they used Windows 3.1. While the Windows NT development group certainly achieved that goal, they did so by basically handing over the keys.
In the days of 16-bit Windows, there was no such thing as a security group. Every user effectively ran with administrator privileges. Users were accustomed to being able to do admin-level things like change file associations, create file shares and install software. Once you let users do those things, however, they can effectively do anything else.
Once a renegade power user executes code with administrator or system privileges, they have effectively become an administrator. Here are a few ways a power user can use the available powers to make this happen:
Change COM object registrations: Because power users can write to HKEY_CLASSES_ROOT, a renegade power user could overwrite a CLSID used by a process normally run with administrator or system privileges and have it point to a hacked DLL. Once an administrator or the system account creates the object, the hacked DLL runs. It’s now executing in the context of an administrator.
Change file associations: A renegade power user could also change the default action associated with something like text files to run a hacked program. Once an administrator double-clicks what seems to be a harmless text file, the hacked program runs with administrator privileges.
Change the Start menu: Because power users can write to the %ALLUSERSPROFILE%\Start Menu directory, a renegade power user could edit a shortcut in the All Users profile, such as Wordpad or Event Viewer. They could then have the shortcut run the hacked program instead. The next time an administrator clicks on the hacked shortcut, the hacked program executes with administrator privileges.
Printer configuration: Because power users can install printers, a renegade power user could install a hacked printer driver. The next time anybody tries to print, the hacked printer driver can do its dirty work.
Hardware installation: A renegade power user can modify an INF file for a hardware device to refer to a hacked driver. Then they could plug that hardware device into the machine. Because hardware drivers run in kernel mode, they would have full control of the system.
Program installation: Because power users can modify files in the Program Files directory, they can patch any program binary to execute whatever code they like. All they have to do then is wait for an administrator to run the program.
System maintenance: As Mark Russinovich has noted, power users have permission to modify files in the System32 directory. This means they can patch ntoskrnl.exe and modify it to perform whatever operations they like.
There are plenty of other ways a renegade power user can use the available tools as a foothold and turn themselves into an administrator. Jesper Johansson succinctly stated this when he said, “Power users are admins who have not made themselves admins yet.”
This inherent design flaw of the Power Users group is why the Windows team has been trying to get rid of it for years. Windows XP suppressed the Power Users group from the UI, so it was harder to add users. The group still exists, though, for backward compatibility. Don’t fool yourself into thinking the Power Users group is a step below an administrator. It’s pretty much the same thing.
There are still lots of corporations that haven’t gotten the message that power-user level is the same as administrator level. They still think that power users are somehow “safer.” There is progress, however. Starting in Windows Vista, the permissions granted to the Power Users group were stripped down tremendously, making them little more than regular users with a fancy title.
Raymond Chen 's Web site, The Old New Thing, and identically titled book (Addison-Wesley, 2007) deal with Windows history, Win32 programming and plastic shrink-wrap.