This is an old trick but I ended up doing it the other day just for kicks, it will only work on 32bit systems at the moment (edit.exe is a 16bit editor and won’t run on a 64bit OS).
Just to clarify – I had no internet access or access to any toolsets, so had to go with whatever I could find on the box hence the use of edit.exe and not winhex/hxd/hexeditorofyourchoice.
I think I vaguely recall a way to use debug.exe to edit binary files but it involved raw assembler and was more complicated than I could remember off of the top of my head with zero internet access at the time so this will do for now.
Right, so as before we have access to a basic command prompt using the VBS/VBA “Call FTP and ! prefix your commands” method.
But I want a full prompt that works without needing such a workaround.
Copy C:windowssystem32cmd.exe somewhere (unless you want to possibly break cmd.exe on your test system).
Using the VBS/VBA FTP method, call “Edit” (Don’t try this with notepad it will change all of the nulls to x20 and destroy the file such that you can no longer run it as an executable)
File -> Tick the “Open Binary” box (This is important), Navigate to C:windowssystem32cmd.exe and open the file.
Scroll down (I’ve tried searching and as there is no way of typing a null char, it won’t work) and you’re looking for the first references to “SoftwarePolicies…” Its the registry key that it is looking at to determine if it should allow you to run or not.
Change P O L I C I E S to B O L I C I E S (well whatever you want, keep the length the same though)
Save the file – Run the file – Voila! command prompt with no need to have to go through FTP.exe over and over.
2 replies on “NFTF: Bypassing Group Policy Denied Command Prompt”
I think you’ve changed another aspect of the file.Size of the actual executable shouldn’t change and the change by 2KB suggests that perhaps you forgot the step highlighted in red above? Ensure that you only open the cmd.exe using "open as binary" mode.Without this ticked as mentioned above you’ll end up having all of your x00 turn into x20 and it’ll break the executable.
Using your favorite hex editor vs. being stuck with 32-bit restriction, or in later OS, not even having the option for edit.exe. Search for the hex value of Disable (include the null values – 440069007300610062006C0065), second match is the reference. Then just increment the corresponding hex value by one value of w/e character you choose. Works fine on 64-bit Windows 7.