.SettingContent-ms files put Windows 10 at risk

[German]Microsoft has introduced a new file format (.SettingContent-ms) for Windows 10 in 2015. However, this file format proves to be a weak point, as any commands and applications can be defined for execution via the underlying XML structures.


Introduced in 2015 with Windows 10, the.settingContent-ms file format provides shortcuts to the settings managed in the Settings app. This is supposed to replace the Windows Control Panel. 

.SettingContent-ms files can be abused

Normally, all efforts are made to prevent the exploitation of vulnerabilities via various file formats. Therefore, the execution of macros in Office documents or the use of scripts etc. is blocked. Security researcher Matt Nelson at SpecterOps now writes that the SettingContent-ms file format weakens Windows 10 security because it allows commands to be included and executed.

(Source: SpecterOps)

The screenshot above shows an excerpt from the XML structure in which the DeepLink XML node contains a command to call the calculator. The command will be hidden behind a link in the settings. If the user selects such a supposed link, the command is executed. 

An attacker who manipulates the XML file in question has the option of placing virtually any executable commands in DeepLink nodes there. This would allow to insert PowerShell commands. Matt Nelson has published an example of a modified file on GitHub.


 (Source: YouTube)

The video above shows how to call such a file to access the command prompt or the computer. If I understood it correctly, SettingContent-ms files can be integrated into Office documents. This of course enables various attack scenarios via OLE from Office documents. Matt Nelson sent his findings to the Microsoft Security Response Center in February 2018. They have confirmed the findings, but nothing can be fixed. And now it gets interesting: Commands that are called by the user through a modified SettingContent-ms file do not block either the Windows Defender or the security feature ASR (Attack Surface Reduction).

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *