Microsoft warns of RCE vulnerability in Windows diagnostic tool

You can open it by typing msdt into Windows Run (Win + R) then having to enter the key code provided by the support staff. Once the key is entered, you can run some diagnostics and send the results directly to Microsoft for further analysis.

However, recently Microsoft has issued a warning about a remote code execution (RCE) vulnerability in MSDT. This security vulnerability affects virtually all versions of Windows and Windows Server including Windows 7, 8.1, 10, 11, Windows Server 2008, 2012, 2016, 2019 and 2022.

Microsoft warns of RCE vulnerability in Windows diagnostic tool Picture 1

This vulnerability has also been assigned a tracking code of CVE-2022-30190 and has a high level of danger. Because the vulnerability has not been patched, Microsoft did not disclose details, but only explained that RCE can occur when MSDT is invoked using the URL protocol from a command-invoking application, such as Microsoft Word.

An attacker can run arbitrary code that can view, delete, or change your files through the privileges of the calling application. For example, if MSDT is invoked through Microsoft Word and run with administrative privileges, the attacker will have corresponding administrative privileges, which is not good for anyone.

Currently, Microsoft recommends that users turn off MSDT through Command Prompt commands. The steps are as follows:

1. Run Command Prompt as Admin.
2. Backup the registry key with the command: " reg export HKEY_CLASSES_ROOTms-msdt filename ".
3. Execute the command: " reg delete HKEY_CLASSES_ROOTms-msdt /f "

If you later feel that MSDT is very important to your work and you accept the risk, you can restore MSDT by following these steps:

1. Run Command Prompt as Admin.
2. Restore the registry key with the previous backup file: " reg import filename "

Note : In both sections, filename is something you give yourself and name it in the backup section, enter the same in the restore section.

Currently, Microsoft is still working to patch this vulnerability. The software giant emphasized that the vulnerability is being actively exploited by hackers so users should be very careful.

To ensure safety, users should enable cloud delivery protection and automatic sample submission on Microsoft Defender. Meanwhile, customers using Microsoft Defender for Endpoint can configure policies to reduce the attack surface from Office application subprocesses.

Micah Soto

Update 02 June 2022