Grzegorz/@0gtweet tweeted something recently that I thought was fascinating, suggesting that a Registry modification might be considered an LOLBin. What he shared was pretty interesting, so I tried it out.
First, the Registry modification:
reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\query” /v LOLBin /t REG_MULTI_SZ /d 0\01\0LOLBin\0calc.exe
Then the command to launch calc.exe:
query LOLBin
Now, I’ve tried this on a Windows 10 system and it works great, even though Terminal Services isn’t actually running on this system. Running just the “query” command on both Windows 10 and Windows 11 systems (neither with Terminal Services running) results in the same output on both:
C:\Users\harlan>query
Invalid parameter(s)
QUERY { PROCESS | SESSION | TERMSERVER | USER }
Running the “query” command with different parameters (i.e., “process”, “user”, etc.) proxies that command to the appropriate entry based on the value in the Registry, as illustrated in figure 1.
 |
| Fig 1: query key values |
As such, running “query user” runs quser.exe, and you see the same output as if you simply ran “quser”.
Note that the Utilities key has two other subkeys, in addition to “query”; “change” and “reset”,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: