System DLLs Can Be Replaced System DLLs are called by applications and the registry, and can be replaced with trojaned/virused versions. %systemroot% and %systemroot%\system32 directories have default permissions of 'Everyone' (includes guest) set to 'Change'. This allows DLLs not in use to be replaced. DLLs in use are locked. DLLs are run by programs at various levels during normal operation. A DLL for example can be run with SYSTEM privileges by a service while a user with normal privileges is logged on. This is also true for the MSGINA.DLL, which is the default "Graphical Identification and Authorization" provider for the local console logon, which if replaced, could seriously compromise your entire enterprise. |