1. NFTF Quickie – VBS Funtimes – Run Scripts? Get Prompt
This is probably a duplicate somewhere but wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down desktop.
Using VBS to fire up FTP as a local command shell

1
2
Run ftp...
CreateObject("WScript.Shell").Run "cmd.exe /k ftp"

Using the above and the bang character will let you run commands on the host.
E.G. !cd or !c:\windows\system32\calc.exe (strangely on XP64 !cd will not persist post command, however it does do so on Win7 [pretty sure it does it on 32bit XP as well as it's how I used to use FTP all the time])
Noddy stuff indeed but useful.
The above one-liner can be modified to run any executable you have access to as a user.

2. No Macros Allowed? That’s what you think…
Me and a colleague got presented with a “Defect fixed, macros are completely disabled on the host” statement on Monday, so we decided to give it a bit of a kicking.
At first glance, no access to the editor was possible and only trusted signed macros were capable of running. We could be forgiven at this point for even mistakenly “passing” the defect if we hadn’t been so determined.
So after a bit of poking and managing to pop open the editor across the office suite, I was convinced I could get it to play ball all the way. My colleague thankfully indulged my inane ramblings about “digitally signing” and “feeling like it’s so close”.
3 to 4 hours later and a fair few dead ends. We get macro editing and execution as a trusted signed macro across all the office apps available on the host (aside from outlook, that could probably fall too given more poking but we had proved the point).
What follows is a quick run through of what we did (…using only a standard user account on a locked down host).

2.1. First Problem – Creating the macro, we need an editor
Macro_bar
If the macro menu is disabled and the buttons on the developer toolbar are greyed out (the buttons above are just to show where they are) try the following:
In Word: Right click the toolbar, select “customise quick access toolbar”, select “all commands” and add the button labelled “view code”.
At this point now go to the developer toolbar (enable it within word options if not enabled), select “design mode” and now the “view code” button will become clickable.
Click this button – Voila, access to VB Editor.
In Excel: Right click the sheet tab, View Code – Voila, access to VB Editor. Alternatively it is also accessible the same way as in word.
In Powerpoint: Click “view code” (should already be on the toolbar somewhere, if not follow the instructions for word)
The above all work in 2007 and 2010, as well as earlier versions but probably in a slightly different guise. Have a bit of a poke about a bit.

2.2. Just sign here, here and here
Our second issue, accessing the “security” window and then the “macro security” window using the above “toolbar button” method (anything with the word “macro” in was disabled from a UI point of view in the ribbon/menus so you had to load the “security” window to get there) we could see that only signed macros were allowed to run.

Nightmare, what can we do now? Thankfully during the above macro editor poking I had browsed through the office folder (looking for a VB Editor.exe type thing) and noted the following executable.
Run this: C:\Program Files (x86)\Microsoft Office\Office12\selfcert.exe
Selfcert
Run it – Create a certificate. Access the VB Editor using the steps in the previous tip.
Signing_word
Tools -> Digital Signatures -> Choose Certificate -> Select your cert.
Now it’s signed you will probably need to exit word/excel/whatever and reopen the document (we had to when testing).

2.3. …but wait, mommy told me not to run macros from strangers.
Okay so we’ve now got a macro, it’s signed but it still won’t run. They’ve hobbled the security even further and “disabled” any prompts we’d get allowing us to “run” a macro with a self-signed cert, so we’re going to have to find a way to explicitly trust our self-signed macro.
Signing_big
Open the VB Editor as before. Then Tools -> Digital Signatures -> Choose -> View Certificate – > Details -> Copy to File
Cert_import
Navigate to saved .cer file (just accept the defaults in the export wizard), right click and select “install certificate”, Select the location to install the certificate as “Trusted Publishers”.
Next…
Certificate Installed Successfully. You just added your certificate to the trusted signatures that microsoft office will blindly accept without needing you to click on a “accept the risk” style warning.
Before (but this would typically be hidden and not shown to users, meaning that they would not have the option of “accepting anyway” in this manner and so self-signed macros would never run):
Untrusted
After (No prompt, macro can be run, certificate is trusted):
Trusted_nowarningTrust_center

You may need to restart word or whatever at this point just to get the changes to refresh but your macro will run without hindrance once done.

2.4 So what can I do with these things anyway?
So the mini-nftf in section 1 above, without cscript.exe/wscript.exe you’re a bit screwed.
How about doing it in VBA.

1
2
3
Sub run_me
    retVal = Shell("C:\WINDOWS\SYSTEM32\cmd.exe /k ftp",1)
End Sub

A quick ‘F5′ and you’re back running the commands you need.
retVal in the above will contain the PID of the process you just launched so the following will kill the process too (in case you were doing something fancy)

1
2
3
4
5
6
Sub run_me_kill_me
    Dim retVal as String
    retVal  = Shell("C:\WINDOWS\SYSTEM32\calc.exe",1)
    killCmd = "C:\WINDOWS\SYSTEM32\cmd.exe /k taskkill /PID " + retVal
    retVal2 = Shell(killCmd,1)
End Sub

The “,1″ part of the Shell call, that’s describing what you want VB to do with the window. If you are doing calls to a script (perhaps a macro that performs a bunch of commands on the sly?) or a command/console based program, you can use vbHide instead and no window will appear on the screen.
Be careful doing this on systems with CMD.exe disabled by group policy as you’ll find that they never show up and so persist within task manager waiting on an invisible but very real “This command has been disabled by your administrator, press any key to continue” prompt.

3. Help! No Web, No Hope? No Way!
Final tidbit of an NFTF – Ever wanted to write some VBS but never sure of exact syntax or even the functions you have access to, no access to the web and someone has helpfully disabled the “help and support” service, denying you any ‘F1′ action you may want.
This is a little trick I picked up from previous work. Providing the host you’re playing with has Microsoft office installed (else it’s worth just a general C:\ drive search for clview.exe).
You have all the scripting reference material you need to make whatever VBS you want.
First you make a new shortcut upon the desktop.
Set it to : “C:\Program Files (x86)\Microsoft Office\Office12\clview.exe” “MSE” “Microsoft Scripting Engine”
Double click and a blank help screen will open (this does not require the help and support service yay!).
Search for something “VBS” for example and then click “microsoft scripting engine” (grey text, top left) and then “Microsoft Scripting Engine Help”, you’ll have help for VBScript and JScript language references along with information on all the juicy runtime objects you can access using VBS/JScript.
Note: JScript is essentially the same as VBScript (different syntax, but same capabilities), they’re all run using cscript.exe (if a console based script) or wscript.exe (if a dialog based script).
Need VBA help? Once again, CLVIEW comes to the rescue.
Create a shortcut for: “C:\Program Files (x86)\Microsoft Office\Office12\CLVIEW.EXE” “WINWORD” “Microsoft Office Word”
Looks like it’s word help but it is the word developer reference and in turn will give you the full VBA language reference too.
Doing fancier application specific stuff in Excel? or Powerpoint? Change the above to suit.

Happy Local Lockdown Testing!

Leave a Reply