When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft issues warning about RCE exploit in its Windows diagnostic tool

Neowin · · Hot! with 6 comments

Microsoft Support Diagnostic Tool open on Windows 10 desktop with a warning sign below it

If you've ever contacted Microsoft support directly about some issue in your Windows or Windows Server system, you have possibly been directed to use Microsoft Support Diagnostic Tool (MSDT). You can open it by typing msdt in Windows Run (Win + R) after which you'll be asked for a passkey provided by the support representative. Once you enter this, you will be able to run some diagnostics and send the results directly to Microsoft for further analysis.

However, Microsoft has now issued an advisory about a remote code execution (RCE) vulnerability present in MSDT. The security flaw affects virtually all supported versions of Windows and Windows Server, including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

The issue in question is being tracked under CVE-2022-30190 and has a high severity level. Although Microsoft hasn't gone into the full details - likely because the flaw has not been patched yet -, it has explained that RCE can happen when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word.

The attacker will be able to run arbitrary code that can view, delete, or alter your files through the privileges of the calling application. So, for example, if MSDT is invoked through Microsoft Word running with admin privileges, an attacker would get the same admin privileges - which is obviously not good.

For now, Microsoft has recommended disabling MSDT through the following commands that you can run in Command Prompt:

  • Run Command Prompt as Administrator
  • To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\ms-msdt filename"
  • Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f"

However, if you later find out that you'd rather take the risk because MSDT is critical to your workflow, you can revert the workaround through the following process:

  • Run Command Prompt as Administrator.
  • To reimport the registry key, execute the command "reg import filename"

As it currently stands, Microsoft is still working on a fix. It has highlighted that the security flaw is being exploited in the wild so it is important to enable cloud-delivered protection and automatic sample submission through Microsoft Defender. Meanwhile, Microsoft Defender for Endpoint customers should also configure policies to reduce the attack surface from child processes of Office apps.

Report a problem with article
A gamer in an esports environment with the French flag on the top right corner of the image
Next Article

France bans gaming terms like "streamer" to preserve language purity

A Grim Reaper with an Excel logo next to it
Previous Article

Microsoft is removing some features from Excel due to low usage

Join the conversation!

Login or Sign Up to read and post a comment.

6 Comments - Add comment