0

I have a project that internally uses cmd /c "..." to launch some small utilities that are part of the software package and developed by myself.

Today I realized about the existence of a /D switch in cmd:

/D      Disable execution of AutoRun commands from registry (see below)

...

If /D was NOT specified on the command line, then when CMD.EXE starts, it
looks for the following REG_SZ/REG_EXPAND_SZ registry variables, and if
either or both are present, they are executed first.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

        and/or

    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

I wonder if I should include such switch to avoid unintended behaviors (such as app injection, setting undesired env vars, etc), or if using this would carry me out more problems (such as unset system required variables, don't know).

Note: the reason why I'm using cmd is due to problems I've had with UAC (both elevating or downgrading privileges) and other issues in the past with other methods, like CreateProcess, that I think are far from the scope of this question.

cbuchart
  • 10,847
  • 9
  • 53
  • 93
  • 1
    If by *downgrading privileges* you mean unelevate then that is not possible. – Noodles Mar 31 '19 at 23:44
  • @Noodles It is actually possible, please take a look at: https://stackoverflow.com/a/50300769/1485885, but that's not the core of my question which, as I've said, solved that issue, it only concerns about the `/D` flag. Thanks anyway for your interest! – cbuchart Apr 01 '19 at 06:45
  • No that PREVENTS elevation. It does not unelevate. – Noodles Apr 01 '19 at 17:18
  • @Noodles you're right, thanks for pointing out the correct term! – cbuchart Apr 01 '19 at 17:33
  • As long as the user don't run other programs in that prompt after you, you can use `/d`. Remember programs don't change the user's environment. – Noodles Apr 01 '19 at 17:39

0 Answers0