4

There was a recently published exploit using URIs to open MSDT and execute arbitrary code. Microsoft's suggestion was to delete the registry key corresponding to the ms-msdt:// protocol.

Unfortunately, this still leaves MSDT active and presumably exploitable via other routes. Personally, I have never used MSDT, nor would I ever need to. Searching how to disable MSDT (results filtered to before May 1, 2022) gave me this result on how to disable MSDT from communicating with Microsoft:

Registry Hive: HKEY_LOCAL_MACHINE

Subkey: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\

Value Name: DisableQueryRemoteServer

Type: REG_DWORD

Value: 0

However, I didn't find any further results. Is there a way to disable MSDT entirely? Would simply deleting msdt.exe actually impact the system's stability?

Improve this question
6
  • You have never clicked the n a link on a website to run a Microsoft Windows troubleshooting tool? That’s effectively what MSDT allows you to do. It’s extremely doubtful it responds to any other URL which is the reason the suggested solution is to disable it
    – Ramhound
    Commented Jun 2, 2022 at 9:55
  • @Ramhound wasn't aware that troubleshooter links ran MSDT, but nowadays I would not click random links to run a troubleshooter. The few times I did that in the past from MS documentation didn't help much anyway. Windows 10 is EoL in a few years and I don't plan on upgrading to Win11 due to TPM requirements, so I don't think I will use MSDT again - I'd rather just close off that attack vector entirely.
    – éclairevoyant
    Commented Jun 3, 2022 at 2:54
  • I want to know is it safe to delete msdt.exe in C:\Windows\System32?
    – rint
    Commented Jun 7, 2022 at 19:21
  • Anybody knows how to delete this piece of crap? It's asking for TrustedInstaller privilege
    – pma_
    Commented Jun 8, 2022 at 10:18
  • @fmnijk you can but it will get recreated when you install any monthly update
    – éclairevoyant
    Commented Jul 5, 2022 at 0:37

1 Answer 1

Reset to default
1

I think that in theory you could try and change the permissions to %WINDOWS%\System32\msdt.exe by removing execution rights temporarily. But this is no guarantee, that the functionality itself isn't accessable via other calls via API. But at least nobody should be able to run it from command prompt.

Improve this answer
1
  • Unfortunately the monthly updates will restore this tool, so this solution doesn't work
    – éclairevoyant
    Commented Jul 5, 2022 at 0:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .