Check or Attack Name: DCOM RunAs

The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.

Remove the RunAs value to restore the user context to that of the calling user.

To remove the RunAs value, follow these steps:

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\Software\Classes\AppID key.
3. Locate the subkey that has had the RunAs value inserted.
4. Delete the RunAs value.