As their names imply, those settings disable the use of CMD.EXE and REGEDIT.EXE.
Those settings are enforced by CMD and REGEDIT themselves. Therefore, alternatives such as Console and Registry Workshop will still run fine. However, it might not always be handy to bring new applications on the target system. So, how do we recover CMD and REGEDIT applications locally ?
It would be easy to find binary checks inside both applications and to patch them, but a good pentester is lazier than that.
After making a copy of both applications, it is enough to replace a single character within "DisableCMD" or "DisableRegistryTools" strings. I really love those stupid tricks :) The question is "how ?" ... and surprisingly, the answer is not obvious.
- DEBUG/EDLIN: they won't handle files over 64KB.
- ".COM" application written in pure assembly using DEBUG: cool, but a bit tedious.
- QBASIC application: there is no QBASIC shipped with Windows any more :(
- Notepad/Wordpad: they mess up binary files on write back.
- VBScript: is poor at handling binary files.
- VBA inside an Office application: cool, but you need to have Office installed beforehand.
- NTSD: does not support the .readmem/.writemem commands.
C:\> ntsd cmd.exe
start end module name
4ad00000 4ad64000 cmd (deferred)
77be0000 77c38000 msvcrt (deferred)
77ef0000 77f37000 gdi32 (deferred)
7c800000 7c905000 kernel32 (deferred)
7c910000 7c9c7000 ntdll (export symbols) ntdll.dll
7e390000 7e420000 user32 (deferred)
0:000> s 4ad00000 L 64000 44 00 69 00 73 00 61 00 62 00 6C 00 65 00 43 00 4D 00
4ad14944 44 00 69 00 73 00 61 00-62 00 6c 00 65 00 43 00 D.i.s.a.b.l.e.C.
0:000> e 4ad14944 41
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
I'll be glad if someone comes with another solution :)
Note: surprisingly, the "DisableCMD" string lies within the code (".text") section.
Note for kiosk designers: to prevent users from running arbitrary applications, Software Restriction Policies would scale more easily.