Today, the standard for Windows applications is 64-bit with 32-bit being supported for legacy backwards-compatibility. 64-bit applications will run on 64-bit operating systems and 64-bit-capable hardware supporting up to 16 exabytes of RAM. 32-bit applications will run on 32-bit operating systems with 32-bit-capable hardware supporting up to four gigabytes of RAM, as well as on 64-bit OSs. Years before this, however, 16-bit applications with 16 kilobyte RAM support were the standard.
Although this was years ago, in the days of Windows 9x and previous, there are still 16-bit applications included in 32-bit versions of today’s Windows OSs for backwards compatibility.
In terms of workstation security and policy compliance, this creates an issue because the 16-bit command prompt, Command.com, does not follow the same policy used to disable the 32-bit command prompt, Cmd.exe.
In the HKCU\Software\Policies\Microsoft\Windows\System key, there is a DWORD value called DisableCMD. A value of 0 means that cmd.exe is allowed, 1 means that it is disabled altogether, and 2 means that the cmd.exe shell is disabled but batch files can run. This registry value can also be controlled using Group Policy on Windows NT 4 and above. Unfortunately for administrators, this reg value doesn’t affect command.com — only cmd.exe.
As a result, if a user launches command.com — either manually or from a batch file assuming the reg key is set to 2 — they have access to a command prompt. To make matters worse, it seems that since this program is from a time before UAC was created, it will not run by default in a restricted context. In other words, if the user is a local administrator, command.com runs as administrator by default.
From here a user can do things like creating a new local admin account for himself — or worse.
To prevent a clever user from discovering this vulnerability in your security, there are two options — Group Policy and logon scripts.
Using the Group Policy Management Console (gpmc.msc), navigate to User Configuration\Policies\Administrative Templates\Windows Components\Application Compatibility and open Prevent Access to 16-bit Applications. Set this to Enabled.
Using (Group Policy) logon scripts, create a logon script in which the program being called is %SystemRoot%\System32\icacls.exe and the argument is %SystemRoot%\System32\ntvdm.exe /E /D %username%. If you prefer to add a line to an existing batch file, below is what would go in this file.