Written by If you try to run the command «wusa.exe c:\temp\file.cab /extract:c:\temp2\» you will in Windows 10 get this error:
The reason Microsoft has removed this option is because of a security issue with the extract option. The reason I found out that this was removed was because I was trying to bypass UAC on Windows 10. An old trick is to leverage WUSA to place files in system protected areas without triggering UAC. In order for this to work the logged in user must be a local administrator.
Let me try to explain a little better. When you start CMD.exe as an administrator you will have to answer Yes to User Account Control in order for the process to start with HIGH integrity level.
Using Process Explorer you can see what sort of integrity level the process has. For this blogpost I have started an instance of CMD as administrator and one without.
As you can see I have one with HIGH and one with MEDIUM. Now for the fun part. If you start WUSA.exe it will not trigger User Account Control, but runs in HIGH integrity mode. Some Windows internal exe files is set to auto-elevate by design. You will actually see it on the icon if you look at it. It has the Windows UAC shield on it:
WUSA is one example and SYSPREP.exe is another. So how is /extract a security issue? I will try to illustrate an example. This is example will work on Windows 7/8/8.1.
First I will have to create a CAB file containing an «evil» file. I will use makecab for that purpose.
I have place an evil.dll file inside my UAC-Example folder and I use the command: «makecab c:\uac-example\evil.dll c:\uac-example\evil.cab» to make -a cabinet file of the dll.
Next I will run «WUSA.exe c:\uac-example\evil.cab /extract:c:\windows\system32». This command will extract the dll file from the cabinet file and place it in system32 without triggering «User Account Control».
So there you have it, the reason why the extract option is gone in Windows 10. L