NT file execution path

Date: Fri, 25 Jul 1997 12:35:42 -0700
From: Jeremy Allison <jallison@WHISTLE.COM>
To: NTBUGTRAQ@RC.ON.CA
Subject: Re: NT security - why bother?

Paul Ashton wrote:

> Use a different command shell. I use bash from cygwin. Do other
> things other than cmd.exe observe PATH?

It's worse than that. From the documentation of CreateProcess().

-----------start excerpt-----------------------
If the filename does not contain a directory path, Windows searches for
the
executable file in the following sequence:
        1.      The directory from which the application loaded.
        2.      The current directory for the parent process.
        3.      Windows 95: The Windows system directory. Use the
                GetSystemDirectory function to get the path of this
directory.
                Windows NT: The 32-bit Windows system directory. Use the
                GetSystemDirectory function to get the path of this
directory.
                The name of this directory is SYSTEM32.
        4.      Windows NT: The 16-bit Windows system directory. There
is no
                Win32 function that obtains the path of this directory,
but
                it is searched. The name of this directory is SYSTEM.
        5.      The Windows directory. Use the GetWindowsDirectory
function
                to get the path of this directory.
        6.      The directories that are listed in the PATH environment
                variable.
-------------end excerpt-----------------------------

This means :

1). '.\' is *always* in your PATH.
2). The PATH is only searched as a last resort.

The SYSTEM32 directory and others are *hard coded* into the OS API
specification.

Good luck fixing that :-(.

Jeremy Allison,
Whistle Communications.