Windows 10: Custom themes allow to retrieve login data

[German]A security researcher points out that so-called custom themes for Wndows 10 are a security risk. These allow to access login data if necessary.


Windows allows users to create custom themes that contain custom colors, sounds, mouse cursors, and the background image that the operating system will use. There are a vast number of downloadable so-called custom themes that can be used to design Windows 10. Such custom themes are quite popular in certain user groups, but they are a security risk.

Security Risk Custom Themes

Specially crafted Windows 10 themes and theme packs can be used in "pass-the-hash" attacks to steal Windows account credentials from unsuspecting users.

A user with the alias @bohops points to the Credential Harvesting Trick on Twitter. Using a Windows .theme file, the wallpaper key (desktop background image) can be configured to point to a remotely required http/s resource. When a user activates the theme file (e.g. opened via a link/attachment), the user is shown a Windows login.

Credential Harvesting Trick

The key for the desktop background is located in the "Control Panel\Desktop" section of the .theme file.  Other keys may be used in the same way. According to the user, this may also work for the netNTLM hash specification when set for remote file locations.


The default handler loads rundll32.exe (themecpl.dll) and the theme setting dialog. The user discovered this a while ago and reported it to MSRC earlier this year. Because he had seen that similar "disclosure" errors were patched. The reported theme bug was not patched because this vulnerability is a "feature by design".

Lawrence Abrams took up the whole thing in this article on Bleeping Computer. To protect against malicious theme files, the Twitter user recommended that the .theme, .themepack and .desktopthemepackfile extensions be blocked or re-assigned to another program.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *