Associated Vulnerability
Title:Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)Description:A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
Description
An NSIS script that helps deploy and roll back the mitigation registry patch for CVE-2022-30190 as recommended by Microsoft
Readme
# MSDT Patcher, a.k.a. CVE-2022-30190-NSIS
This is an NSIS script that helps deploy and roll back the mitigation registry patch for CVE-2022-30190 as recommended by Microsoft.
[Download the executable here](https://github.com/rouben/CVE-2022-30190-NSIS/releases).
## How does it work?
When run, it checks for the presence of the key `HKCR\ms-msdt`. If the key exists, it assumes the machine is vulnerable and offers to apply the mitigation patch. If the user confirms, the entire `HKCR\ms-msdt` key hierarchy is removed, i.e. the equivalent of the following registry patch is executed:
```reg
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\ms-msdt]
```
If the key `HKCR\ms-msdt` is absent, this script assumes that all machines have the same exact registry keys under `HKCR\ms-msdt`, and inserts the equivalent of the following registry patch:
```reg
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ms-msdt]
@="URL:ms-msdt"
"EditFlags"=dword:00200000
"URL Protocol"=""
[HKEY_CLASSES_ROOT\ms-msdt\shell]
[HKEY_CLASSES_ROOT\ms-msdt\shell\open]
[HKEY_CLASSES_ROOT\ms-msdt\shell\open\command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
73,00,64,00,74,00,2e,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00
```
## License and other info
I hope you find this little tool useful. It's licensed under the [unlicense](https://unlicense.org), so please feel free to modify and adapt this little hack as you see fit. Contributions are welcome, so fork away and submit a pull request.
**!!!WARNING!!!** This script will **not** protect your system against novel attack vectors that don't use the ms-msdt URL handler. Repeat, this is **not** a proper fix, just a band-aid until Microsoft releases a proper fix for the underlying vulnerability.
File Snapshot
[4.0K] /data/pocs/b17829ab2658af6d242ee347bcc38c0ebbe4daf1
├── [1.2K] LICENSE
├── [3.5K] MSDT-Patch.nsi
├── [1.8K] README.md
└── [4.0K] regfiles
├── [ 142] mitigate.reg
└── [1002] rollback.reg
1 directory, 5 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →