Hrm... 5/9/2014 2:07:00 PM

After hearing about a recent bug ( I created a C:\program.exe app to show me if some other applications might also have the same problem.

On Windows 8.1 Update 1 with all updates, after using the “Close program” gesture to close Immersive IE, I see my program.exe application runs with the following output:

Program.exe invoked with the following parameters: 

Raw command line:
        C:\Program Files\Internet Explorer\iexplore.exe -BackgroundSessionClosed 


Press any key to continue...

This link: suggests to me that the invoking code might related to the PLM system used for Metro suspension.


  1. Save as C:\program.exe (This trivial app simply shows the command line arguments that it is passed).
  2. Close Desktop IE instances.
  3. Run Metro IE. Browse a bit.
  4. Use the close gesture to close IE.

Observe: Program.exe is executed.

Arguably, this isn’t an important security issue because writing to the root requires Admin and the program is only executing with user-level permissions, but historically we’ve seen this sort of mistake used as a stepping stone of other exploits. The affected codepath may also allow repro for ANY Immersive browser (not just IE) which could have unknown security impact.

+ Comment
Eric MSRC sent this one back as "not a vulnerability" due to ACLs on the root folder.

< Eric's Blog Home

©1998-2020 Eric Lawrence