HomeWinBuzzer NewsMicrosoft’s Settings App Potentially Leaves Windows 10 Wide Open to Attack

Microsoft’s Settings App Potentially Leaves Windows 10 Wide Open to Attack

Microsoft’s evolving Settings app in Windows 10 holds a new filetype that has too many privileges and is open to exploit, according to security experts.


has been working on its in for a couple of years. The app is eventually replacing Control Panel as the hub for all settings on the platform. However, changing the fabric of the operating system is not without its risks. It appears a flaw in Settings allows the app to be exploited.

The problem stems from a new file type called “.SettingContent-ms”. Yes, this is a Microsoft file for Windows 10 and comes with a range of privileges. At its core, the file allows shortcuts to be made to the Settings app.

Despite its apparent usefulness, SpecterOps security researcher Matt Nelson says the XML file is too widespread and can be exploited.

According to Nelson, the SettingsContent-ms file accepts any filepath in deeplink, including Powershell and CMD paths. In other words, this means the file can performance one task simultaneously with another, without the user knowing there is a secondary task running:

“So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogues to the user. When trying to get initial access, going across a target's perimeter with an unusual file type can be risky. Ideally, this file would be placed in a container of a more common file type, such as an Office document.”

Bypassing Windows Defence

Worryingly, the filetype also bypasses Windows Defender and navigates past Attack Surface Reduction (ASR) in Office.

“When a document comes from the internet with a .SettingContent-ms file embedded in it, the only thing the user sees is the “Open Package Contents” prompt. Clicking “Open” will result in execution. If an environment doesn't have any Attack Surface Reduction rules enabled, this is all an attacker needs to execute code on the endpoint. I was curious, so I poked at how this holds up with ASR's child process creation rules enabled.”

So, SettingsContent-ms is wide open. Still, Microsoft does not believe the file is a security problem and will likely keep it intact. Although, Nelson explains he thinks the company will add it to a blacklist of filetypes that Windows checks when downloaded from the internet.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News