2

Microsoft publishes a workaround for the msdt exploit (Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability)

The suggested way is to delete the key Computer\HKEY_CLASSES_ROOT\ms-msdt after backing it up:

To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

I don't know how the registration of handlers like this work.

Question: Wouldn't it be enough to rename the key like: Computer\HKEY_CLASSES_ROOT\ms-msdt__RenameBecause_cve-2022-30190 or would the handler still work regardless of the name?

Why I'm asking this: I would like to prevent registry backups on every machine, which may get lost.

Edit: I agree that its the best way to follow the microsoft recommendation. But with hundreds of pcs this way is difficult to implement reliably (not to mention that the registry backups have to be restored at some point)

Improve this question
4
  • 2
    Best to follow the Microsoft guidance on this, rather than try and come with an elaborate solution.
    – spikey_richie
    Commented May 31, 2022 at 13:40
  • 1
    The article suggests that up to date Windows Defender (WIN 10 / 11) will mitigate the threat.
    – anon
    Commented May 31, 2022 at 14:18
  • You are aware you would only have to keep a single backup of the key, right, since the keys to handle the URL handle would be identical across all your machines. With the key deleted you go from a situation where the URL handle can be used or change to not existing. Of course the real solution is to use Microsoft Defender to detect and block the malicious behavior.
    – Ramhound
    Commented May 31, 2022 at 16:50
  • You don't need to backup the entire registry, you can store a reg file containing only the applicable keys if you so wish. Presumably this data would be identical across machines anyway.
    – éclairevoyant
    Commented Jun 2, 2022 at 5:36

1 Answer 1

Reset to default
2

Renaming is enough, as did the author of the article
Mysterious “Follina” zero-day hole in Office – here’s what to do!

However, the author finished by deleting the key, as this mitigation felt unfinished to him.

I would also suggest to delete the key, for a complete job. You could export and keep the key before deleting it, as a better method for backup.

Improve this answer
1
  • 1
    His argument not to rename it is: 1) when somebody knows the new name it can be still used 2) he hasn't seen a usesfull use of this entry, so it may stay deleted. Very helpfull, thanks!
    – marsh-wiggle
    Commented May 31, 2022 at 14:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .