Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Server, Enterprise Edition
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

    According to the discoverer, Windows uses a specific search order for executables that are defined in the Registry. If those definition use relative path names instead of absolute path names then it is possible to cause a Trojan to run instead of the legimate execuatable. The search order used is as follows:

    • The directory where the calling application loaded from
  • The current directory of the parent process
  • The 32-bit Windows system directory: System32
  • The 16-bit Windows system directory: System
  • The Windows directory: %SYSTEMROOT%
  • The directories listed in the PATH environment variable

    During the system boot sequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimate version, normally located in the %SYSTEMROOT% directory.


    Microsoft released a FAQ, Support Online article Q269049, as well as patches for Windows 2000 and NT 4.0.

    Discovered by Alberto Argones