Adventures with Windows Spotlight Tips

Charlie Fligg
Nov 6 · 3 min read

So, I wanted to mess with Windows and limited users. This time instead of trying to abuse Chrome elevation (On the old computers I was using, chrome ran at an elevated level so you could drag and drop files into it, wait for it to “download” then run them. The system would then treat the file like it was being run by an administrator), I wanted to play with the actual windows operating system, and look for exploits there. I messed around a little bit and then eventually ended up on the login page. Remembering the old Utilman.exe exploit, (renaming the cmd to Utilman.exe allowed you launch cmd as the Ease of Access tool which got you a Super User cmd.) I found the Spotlight tips. I noticed that by clicking on certain tips, I could launch Edge.

So I started poking around. The first thing I found was where the Pictures for the login page were stored.

%LOCALAPPDATA%\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets

Yep our login background image was there.

But I am looking for the Tips that appear on this image. So I started combing through the rest of the Windows.ContentDeliveryManager. After clicking through I found that the TargetedContentCache contained a bunch of random folder names. Most of these folders contained Packages for the Microsoft store but one folder had an interesting file.

a784c721f8b44c46a00e4834422ac3cf_1

The file itself doesn’t matter and the name changes all the time. But inside it is some interesting data. After Beautifying the JSON with https://codebeautify.org/jsonviewer I found the file contained the lock-screen image location.

More interesting, this file contained the tips API. And it appears that the links that are supposed to be opened are hard coded.

Ok, so lets edit it. Most URI handles work (ex. http, ms-windows-store) and I am able to launch programs once a user logs in, provided they click one of the Tips.

So chained with another bug that exploits the windows Uri, A hacker could potentially set up another, not privileged user account, edit the Cache so that his prompt displays, set the prompt size to max out the screen, and just wait for the user to click his Tip. Then he could launch whatever program he wanted. This has a pretty limited use case, and it is not really a bug, but it is interesting that the Login Page assets are editable by any non-privileged user.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade