Contrary to the Windows 2000 documentation, during startup, a path search first starts with the C: root.

Any user could copy a program, named Explorer.exe, to the C: root, and it would be run instead of the shell, which is invoked via the following registry value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

NOTE: The Shell value contains the Explorer.exe string. If the string included the full path to Explorer.exe, C:\WinNT\Explorer.exe by default, this behavior would not happen.

Microsoft has released a hotfix to correct this vurnerability, which will probably be included in SP2. If you want it now, download Q269049_w2k_sp2_x86_en.exe.

The English version of this fix should have the following file attributes or later:

<b>   Date      Time    Size     File name
   ---------------------------------------
   07/18/00  05:07p  331,536  Msgina.dll
   07/18/00  05:07p   17,680  Userinit.exe </b>
For Windows NT 4.0, the fix is at

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360.

NOTE: Select Intel or Alpha.

The English version of this fix should have the following file attributes or later:

<b>   Date      Time    Size     File name   Platform
   -----------------------------------------------
   07/18/00  07:27p  124,176  Msgina.dll  Intel
   07/18/00  07:25p  160,528  Msgina.dll  Alpha </b>
For Windows NT Server 4.0, Terminal Server Edition, the fix is at

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23421.

NOTE: Select Intel, Q269049i.EXE, or Alpha, Q269049a.EXE.

The English version of this fix should have the following file attributes or later:

<b>   Date      Time    Size     File name   Platform
   -----------------------------------------------
   07/18/00  07:22p  207,120  Msgina.dll  Intel
   07/18/00  07:08p  259,344  Msgina.dll  Alpha </b>