But I can't imagine how bad the code must be in cmd.exe that this can occour.
Alternative theory might then be that it's a "hidden feature" for whatever purposes e.g. to somehow aid in-house batch file debugging. However, I find that theory unsatisfactory, too. So, bottom line, I am just as mystified as you are.
I totally absolutely disagree - it could be a deliberate assist for in-house purposes.
Some years ago it was either an Emergency Out of Band or a Patch Tuesday Security update that "updated" the heart of Windows.
I am fairly certain it was Explorer.exe.
Strange thing is that the new versions was :-
Significantly smaller ;
had identical version strings and creation / modification dates.
When I developed software using the 'C' language, a simple Header.H file determined whether DEBUG=TRUE or DEBUG=FALSE.
During development the DEBUG code was active and wasted 90% of the CPU cycles to ensure that only 10% was needed by active code,
and there were many supplementary run-time checks to facilitate testing and validate all assumptions,
and a flag on display to ensure instant recognition if DEBUG code ever got into equipment for the customer.
I never failed to cancel DEBUG=TRUE when releasing code to production.
It was instantly recognizable to me that regardless of whether Microsoft use 'C' or something else,
they had issued Explorer.exe with some form of "DEBUG" incorporated,
and the latest exploit was utilizing their "DEBUG" code,
hence Security update merely cancelled the "DEBUG" mode and thus stripped out the malware target and gave a SMALLER executable,
but the software library was totally unaltered - no other files were changed, no version strings were updated.
CMD.EXE starts with what COMMAND.COM did, does not quite implement exactly what it did, and throws in a great big bundle of extras.
It obviously needed debugging and I doubt that I am the only genius to use a tiny change in one file to supplement the intended product with extra DEBUG goodies.
30 years ago my software ran 24 hours a day 365 days a year giving non-stop security protection to military installations.
I never risked releasing DEBUG code
DOS and Windows were happy to give BSOD's every day and swear at users for not "shutting down properly.
The probably bundle DEBUG into everything they do and simply flip the debug switch when malware targets that aspect of Windows.