Windows LegacyHive Zero-Day Exposes Administrator Registry Hive on Fully Patched Systems
A newly disclosed Windows vulnerability called LegacyHive can allow a local, low-privileged attacker to make the User Profile Service load another user’s registry hive, including one belonging to an administrator.
The public proof of concept exposes the target user’s `UsrClass.dat` file through the attacker-controlled account. This can reveal application settings, file-association data, Windows Explorer history and other information stored in the user’s Classes registry hive.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft has not issued a CVE, security advisory or patch for LegacyHive. The company says it knows about the report and is investigating whether the claims are valid and which products may be affected.
What is the Windows LegacyHive vulnerability?
LegacyHive targets the Windows User Profile Service, also known as ProfSvc. Windows uses this service to load registry hives containing user-specific settings during logon and unload them when they are no longer needed.
The LegacyHive GitHub repository describes the issue as an arbitrary hive-loading privilege-escalation vulnerability. The code was published by a researcher using the Nightmare Eclipse and MSNightmare names.
The proof of concept manipulates how ProfSvc resolves the path to a user’s registry hive. It causes the privileged Windows service to open a different `UsrClass.dat` file from the one it initially intended to load.
| LegacyHive detail | Current status |
|---|---|
| Vulnerability type | Local cross-user registry hive loading |
| Affected component | Windows User Profile Service |
| Required access | Existing local access to the Windows system |
| Additional requirement in public PoC | Credentials for a second standard user |
| Target data | Another user’s UsrClass.dat hive |
| CVE identifier | None assigned |
| Official patch | Not available |
| Confirmed exploitation in attacks | No public evidence |
What the public proof of concept can do
The released code requires credentials for another standard user and the username of a target account. The target can be an administrator account.
If the process succeeds, Windows mounts the target user’s Classes hive in a location accessible from the secondary user’s session. A tester can then view registry information that would normally belong only to the target profile.
Security researcher Will Dormann independently tested the code. His LegacyHive demonstration showed that the mounted administrator hive could be opened through Registry Editor from a non-administrator session.
- The PoC requires local execution.
- It needs valid credentials for a second standard account.
- The target account can have administrator privileges.
- It exposes the target’s Classes registry hive.
- It does not directly retrieve password hashes.
- It does not automatically produce an administrator shell.
LegacyHive does not immediately provide admin access
The public code demonstrates a security boundary problem, but it stops short of a complete local privilege-escalation exploit. Merely reading `UsrClass.dat` does not automatically let an attacker execute commands as the administrator.
The hive can contain valuable forensic and application information. However, it does not normally store the password hashes found in more sensitive system registry hives.
A detailed ThreatLocker analysis of LegacyHive concluded that significant changes would be required to transform the released PoC into a complete exploit that provides privileged code execution.
Could attackers turn hive access into privilege escalation?
Access to an administrator’s Classes hive could become more dangerous if an attacker finds a reliable way to modify it. Windows and installed applications use this area of the registry for file associations, COM registrations, shell extensions and other user-specific behavior.
Dormann demonstrated the possible effect by changing a file association in a test environment. This showed that modifying the target hive could influence what Windows launches when the administrator performs a normal action.
In a follow-up LegacyHive test, Dormann discussed overwriting a COM registration so that a chosen program could start when the affected administrator signs in. Such an attack would require write access and additional exploit development beyond the public PoC.
| Claim | Evidence available |
|---|---|
| Read another user’s Classes hive | Demonstrated by the public PoC |
| Target an administrator profile | Demonstrated |
| Read Windows password hashes | Not demonstrated |
| Modify an administrator’s hive | Possible with further changes, not delivered as a complete public exploit |
| Execute code as an administrator | Potential downstream impact, not provided directly by the released PoC |
| Load any Windows hive | Claimed for the original private version, not demonstrated by the stripped public code |
How LegacyHive manipulates the User Profile Service
The attack uses Windows Object Manager path redirection and a race condition while ProfSvc loads profile data. The PoC prepares a controlled user profile and redirects a path used to locate `UsrClass.dat`.
It then pauses access to a decoy hive and changes the path resolution before the privileged service completes the operation. ProfSvc ultimately opens and mounts the target user’s file while operating with higher privileges.

The technical investigation found that the code uses Object Manager symbolic links, an opportunistic lock and offline registry operations. These components create a time-of-check to time-of-use condition.
Which Windows versions are affected?
The researcher claims that LegacyHive works on all currently supported Windows desktop and server installations with the July 2026 security updates installed. That would potentially include supported Windows 10, Windows 11 and Windows Server releases.
Microsoft has not confirmed this broad affected-products claim. Organizations should therefore avoid treating the project’s compatibility statement as an official Microsoft assessment.
The fact that the PoC works on tested, fully patched systems means the July 2026 Windows security updates do not address its underlying behavior. Installing those updates remains important because they fix many unrelated vulnerabilities.
Microsoft is investigating LegacyHive
Microsoft told SecurityWeek that it is investigating the validity and potential applicability of the claims. The company said it would update affected products when necessary.
Microsoft has not published an entry for LegacyHive in the Security Update Guide. It has also not assigned a severity rating, CVSS score or formal list of affected Windows editions.
The Microsoft response reported by SecurityWeek emphasizes coordinated vulnerability disclosure. The public release occurred before Microsoft completed its investigation or released a security update.
No evidence of active LegacyHive exploitation
Public proof-of-concept code increases the possibility that other researchers or attackers will study the technique. However, there is currently no public evidence showing that threat actors are exploiting LegacyHive in real-world attacks.
The available code also contains limitations that reduce its immediate value to attackers. It requires another standard user’s credentials and only targets `UsrClass.dat`.

The researcher claims that an earlier private version did not require those credentials and could load other hives. Defenders should treat that statement as an unverified claim until independent researchers or Microsoft confirm it.
How organizations can reduce their exposure
LegacyHive requires an attacker to run code locally, so controls that prevent initial access remain important. Application allowlisting and restrictions on untrusted executables can block the public tool before it reaches ProfSvc.
Security teams can also monitor unusual access to registry hive files and activity involving explicit secondary-user credentials. Short sequences of profile-file replacement, hive loading and cleanup deserve investigation.
The published LegacyHive code creates temporary files and manipulates profile data during execution. Variants may change these indicators, so defenders should combine file, logon, process and registry telemetry.
- Restrict local logon rights for administrative accounts.
- Use separate privileged access workstations for administrators.
- Apply application control to prevent unknown executables.
- Monitor cross-user access to `ntuser.dat` and `UsrClass.dat`.
- Investigate profile hives copied to temporary or unusual directories.
- Monitor rapid replacement and restoration of profile files.
- Review Windows events for explicit credential use and unexpected logons.
- Watch for suspicious changes to file associations and COM registrations.
- Install any Microsoft fix as soon as one becomes available.
Systems where the LegacyHive tool appears should undergo investigation for broader compromise. The tool requires prior local access, meaning its presence may indicate that another weakness or stolen credential enabled the attacker to reach the machine first.
FAQ
LegacyHive is a reported Windows User Profile Service vulnerability that can cause the service to load another user’s registry hive into a session controlled by a local attacker.
The public proof of concept does not directly provide administrator access. It demonstrates access to an administrator’s Classes registry hive. Additional modifications and a reliable execution method would be required to turn that access into privilege escalation.
No. LegacyHive is a local, post-compromise vulnerability. An attacker must already have the ability to run code on the Windows system.
The researcher claims that all currently supported Windows desktop and server versions are affected, including systems with the July 2026 updates. Microsoft has not confirmed the complete affected-products list.
No dedicated LegacyHive patch or advisory is available. Microsoft says it is investigating the report and will update affected products when necessary.
There is no public evidence of active LegacyHive exploitation. Proof-of-concept source code is publicly available, which may increase the risk of further research and weaponization.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages