Monday, January 25, 18:29
Home security The "wsreset" of the Windows 10 Store allows the antivirus to be bypassed

The "wsreset" of the Windows 10 Store allows the antivirus to be bypassed

A new technique takes advantage of the Windows 10 Microsoft Store wsreset tool and can bypass antivirus protection on a host without being detected.

Wsreset.exe is a legal troubleshooting tool that allows users to diagnose problems with the Windows Store and restore its cache.

Windows antivirus wsreset

Pentester and researcher Daniel Gebert discovered that wsreset.exe can be used to delete files arbitrarily.

As wsreset.exe is running with increased permissions because it deals with Windows settings, this error would allow them invaders delete files, even if they did not normally have the permissions.

Delete files using wsreset.exe

When creating temporary temporary files of memory and cookies, the Windows Store stores these files in the following directories:

After analyzing the wsreset utility, Gebert found that the tool would delete files on these folders, thus restoring the cache and cookies for the Windows Store application.

The exploitation technique mentioned here is based on the simple concept of "folder junctions" which are similar.

If an attacker can create a link that redirects this path \ InetCookies to a target directory of his choice intruder, the target directory will be the one that will be deleted when the wsreset is running. This is because wsreset runs by default with high defaults.

To get started, an attacker first deletes the \ INetCookies folder (which would otherwise have been deleted by the wsreset utility). Restricted users can delete it envelope, so this is not a challenge - either an intruder controlling a user account or one malicious script executed on the account of the infringed user can achieve this.

After that, an attacker creates a link or 'folder junction', making the \ INetCookies site point to a privileged location that would like to delete wsreset.exe.

In the example below, the attacker maps the directory \ INetCookies to "C: \ Windows \ System32 \ drivers \ etc". The \ etc folders contain important configuration files, including the "hosts" file for configuring local DNS rules.

"This can be done using mklink.exe with the '/ J' parameter or via Powerhell's new-item command with the '-ItemType' parameter," Gelbert explains in his blog post.

Now, when "wsreset" is executed by the attacker or their script, the "\ etc" folder that would otherwise require clearing of increased rights, will be deleted.

Abuse of wsreset to bypass antivirus

The researcher demonstrated how this behavior could be used to bypass antivirus, focusing on Adaware as an example.

Adaware antivirus saves configuration files (and more) to the 'C: \ ProgramData \ adaware \ adware antivirus' folder. Adaware antivirus needs these archives to interact with previously downloaded malware signatures. "Normal users can not delete this folder," said Gelbert.

After the attacker creates the symbolic link "\ INetCookies" to point to the folder \ \ antaware antivirus "and run wsreset, the archives inside the folder are now deleted seamlessly.

Of course, some files (which were used by the antivirus program) may remain in the envelope even after running the wsreset but this is not a problem. The whole process is enough to destroy her mode of antivirus.

After restarting the antivirus, it will be permanently disabled. This is because the settings and other key files have been cleared by the system. And the antivirus could not detect it or prevent it.

This privilege scaling vulnerability in the wsreset.exe utility can be used for others aims, such as the UAC bypass, as demonstrated by Hashim Jawad in 2019.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...

SpaceX launched 143 satellites simultaneously

SpaceX broke every record with its last spacecraft mission into orbit. The company successfully launched the Transporter-1 mission ...

Sony may resurrect the Xperia Compact to compete with Apple

Have you seen the iPhone 12 mini and wish there was an Android equivalent to this small but powerful smartphone? Can the desire ...

Artificial intelligence (AI) may one day be used against us

AI algorithms offer us the news we read, the ads we see, and in some cases even drive cars ...