Call all net admins

[Iain]

I'm a mature student at college in the UK ("mature" is an official term for "over 25"), studying an IT-related course. One of the network administrators had to visit us recently and we got talking. The network is locked down very hard and he volunteered some information about something that they'd identified and had had to deal with (no, I *wasn't* engaged in social engineering!). He mentioned that some students had tried to access cmd.exe, regedit.exe etc. by converting to hex and entering into start>run. For instance, enter %63%6d%64%2e%65%78%65 (the equivalent of cmd.exe) and he showed me that it was blocked.

I tried a similar manoeuvre at home on my own system but it doesn't work, so I suspect that he was either mistaken in the exact technique or he was giving me BS. I know there have been MANY, MANY posts about "how to open a command prompt" etc., along with multiple novel techniques, but I'd not heard about anything like this. Does anyone know more about this (or a similar) technique. Does it work? Has it ever?

[digip]

I don't think that it every worked like that from the run prompt. There are shortcuts to folders and such like %windir% and a few others, because you can change the path of c:\windows to some other path, the %windir% equates to a shortcut in the registry. If they manually made an entry somewhere for cmd.exe using the above hex values you gave then in theory they could launch it, but if the exe is locked down, it shouldn't matter where they launch it from if they don't have the credentials. Now, if they had their own cmd.exe(a third party equivalent) then that would be a whole other story. Maybe these kids were just experimenting and seeing if there was another way. Quickest way is to use Vbscripting and Cscript or wscript hosting if it hasn't been blocked. You can use this to re-enable the registry, then work some magic there to unlock some functions, but you still may have limted use. Especially if they are part of a domain, every time they reboot or logout/in the group policy would be applied and undo anything you changed.

I often see the hex trick used in web pages mor ethan in the OS. People use it to obfuscate javascript code from time to time.