HighCheck or Attack Name: NTKnownDLLsList
Windows NT implements a feature that keeps the most used DLL's in memory to improve performance and memory usage. A flaw exists in the permissions normal users have to this KnownDLLs list that allows them to load malicious code in the list and point applications at this Trojan horse code, which will then be executed with administrative privileges.
Affected users should obtain and install the smss-fix hotfix from Microsoft as soon as possible. As a temporary workaround, the following value can be added to the system registry to prevent the exploitation of this attack:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Name: ProtectionMode
Type: REG_DWORD
Value: 1
Microsoft Security Bulletin MS99-006, Fix Available for Windows NT "KnownDLLs List" Vulnerability, http://www.microsoft.com/security/bulletins/ms99-006.asp
Microsoft Knowledge Base Article Q218473, Restricting Changes to Base System Objects, http://support.microsoft.com/support/kb/articles/q218/4/73.asp
L0pht Security Advisory, Microsoft Windows NT 4.0, http://www.l0pht.com/advisories/dll_advisory.txt
