Windows LegacyHive Zero-Day Exposes Administrator Registry Hive on Fully Patched Systems


A newly disclosed Windows vulnerability called LegacyHive can allow a local, low-privileged attacker to make the User Profile Service load another user’s registry hive, including one belonging to an administrator.

The public proof of concept exposes the target user’s `UsrClass.dat` file through the attacker-controlled account. This can reveal application settings, file-association data, Windows Explorer history and other information stored in the user’s Classes registry hive.

Microsoft has not issued a CVE, security advisory or patch for LegacyHive. The company says it knows about the report and is investigating whether the claims are valid and which products may be affected.

What is the Windows LegacyHive vulnerability?

LegacyHive targets the Windows User Profile Service, also known as ProfSvc. Windows uses this service to load registry hives containing user-specific settings during logon and unload them when they are no longer needed.

The LegacyHive GitHub repository describes the issue as an arbitrary hive-loading privilege-escalation vulnerability. The code was published by a researcher using the Nightmare Eclipse and MSNightmare names.

The proof of concept manipulates how ProfSvc resolves the path to a user’s registry hive. It causes the privileged Windows service to open a different `UsrClass.dat` file from the one it initially intended to load.

LegacyHive detailCurrent status
Vulnerability typeLocal cross-user registry hive loading
Affected componentWindows User Profile Service
Required accessExisting local access to the Windows system
Additional requirement in public PoCCredentials for a second standard user
Target dataAnother user’s UsrClass.dat hive
CVE identifierNone assigned
Official patchNot available
Confirmed exploitation in attacksNo public evidence

What the public proof of concept can do

The released code requires credentials for another standard user and the username of a target account. The target can be an administrator account.

If the process succeeds, Windows mounts the target user’s Classes hive in a location accessible from the secondary user’s session. A tester can then view registry information that would normally belong only to the target profile.

Security researcher Will Dormann independently tested the code. His LegacyHive demonstration showed that the mounted administrator hive could be opened through Registry Editor from a non-administrator session.

  • The PoC requires local execution.
  • It needs valid credentials for a second standard account.
  • The target account can have administrator privileges.
  • It exposes the target’s Classes registry hive.
  • It does not directly retrieve password hashes.
  • It does not automatically produce an administrator shell.

LegacyHive does not immediately provide admin access

The public code demonstrates a security boundary problem, but it stops short of a complete local privilege-escalation exploit. Merely reading `UsrClass.dat` does not automatically let an attacker execute commands as the administrator.

The hive can contain valuable forensic and application information. However, it does not normally store the password hashes found in more sensitive system registry hives.

A detailed ThreatLocker analysis of LegacyHive concluded that significant changes would be required to transform the released PoC into a complete exploit that provides privileged code execution.

Could attackers turn hive access into privilege escalation?

Access to an administrator’s Classes hive could become more dangerous if an attacker finds a reliable way to modify it. Windows and installed applications use this area of the registry for file associations, COM registrations, shell extensions and other user-specific behavior.

Dormann demonstrated the possible effect by changing a file association in a test environment. This showed that modifying the target hive could influence what Windows launches when the administrator performs a normal action.

In a follow-up LegacyHive test, Dormann discussed overwriting a COM registration so that a chosen program could start when the affected administrator signs in. Such an attack would require write access and additional exploit development beyond the public PoC.

ClaimEvidence available
Read another user’s Classes hiveDemonstrated by the public PoC
Target an administrator profileDemonstrated
Read Windows password hashesNot demonstrated
Modify an administrator’s hivePossible with further changes, not delivered as a complete public exploit
Execute code as an administratorPotential downstream impact, not provided directly by the released PoC
Load any Windows hiveClaimed for the original private version, not demonstrated by the stripped public code

How LegacyHive manipulates the User Profile Service

The attack uses Windows Object Manager path redirection and a race condition while ProfSvc loads profile data. The PoC prepares a controlled user profile and redirects a path used to locate `UsrClass.dat`.

It then pauses access to a decoy hive and changes the path resolution before the privileged service completes the operation. ProfSvc ultimately opens and mounts the target user’s file while operating with higher privileges.

While the tool runs, a new pair of 1003 registry keys is loaded into HKEY_USERS, but their contents remain inaccessible

The technical investigation found that the code uses Object Manager symbolic links, an opportunistic lock and offline registry operations. These components create a time-of-check to time-of-use condition.

Which Windows versions are affected?

The researcher claims that LegacyHive works on all currently supported Windows desktop and server installations with the July 2026 security updates installed. That would potentially include supported Windows 10, Windows 11 and Windows Server releases.

Microsoft has not confirmed this broad affected-products claim. Organizations should therefore avoid treating the project’s compatibility statement as an official Microsoft assessment.

The fact that the PoC works on tested, fully patched systems means the July 2026 Windows security updates do not address its underlying behavior. Installing those updates remains important because they fix many unrelated vulnerabilities.

Microsoft is investigating LegacyHive

Microsoft told SecurityWeek that it is investigating the validity and potential applicability of the claims. The company said it would update affected products when necessary.

Microsoft has not published an entry for LegacyHive in the Security Update Guide. It has also not assigned a severity rating, CVSS score or formal list of affected Windows editions.

The Microsoft response reported by SecurityWeek emphasizes coordinated vulnerability disclosure. The public release occurred before Microsoft completed its investigation or released a security update.

No evidence of active LegacyHive exploitation

Public proof-of-concept code increases the possibility that other researchers or attackers will study the technique. However, there is currently no public evidence showing that threat actors are exploiting LegacyHive in real-world attacks.

The available code also contains limitations that reduce its immediate value to attackers. It requires another standard user’s credentials and only targets `UsrClass.dat`.

LegacyHive loads an admin user’s Classes registry hive, allowing another user to access it via Regedit

The researcher claims that an earlier private version did not require those credentials and could load other hives. Defenders should treat that statement as an unverified claim until independent researchers or Microsoft confirm it.

How organizations can reduce their exposure

LegacyHive requires an attacker to run code locally, so controls that prevent initial access remain important. Application allowlisting and restrictions on untrusted executables can block the public tool before it reaches ProfSvc.

Security teams can also monitor unusual access to registry hive files and activity involving explicit secondary-user credentials. Short sequences of profile-file replacement, hive loading and cleanup deserve investigation.

The published LegacyHive code creates temporary files and manipulates profile data during execution. Variants may change these indicators, so defenders should combine file, logon, process and registry telemetry.

  • Restrict local logon rights for administrative accounts.
  • Use separate privileged access workstations for administrators.
  • Apply application control to prevent unknown executables.
  • Monitor cross-user access to `ntuser.dat` and `UsrClass.dat`.
  • Investigate profile hives copied to temporary or unusual directories.
  • Monitor rapid replacement and restoration of profile files.
  • Review Windows events for explicit credential use and unexpected logons.
  • Watch for suspicious changes to file associations and COM registrations.
  • Install any Microsoft fix as soon as one becomes available.

Systems where the LegacyHive tool appears should undergo investigation for broader compromise. The tool requires prior local access, meaning its presence may indicate that another weakness or stolen credential enabled the attacker to reach the machine first.

FAQ

What is the Windows LegacyHive vulnerability?

LegacyHive is a reported Windows User Profile Service vulnerability that can cause the service to load another user’s registry hive into a session controlled by a local attacker.

Does LegacyHive give attackers administrator access?

The public proof of concept does not directly provide administrator access. It demonstrates access to an administrator’s Classes registry hive. Additional modifications and a reliable execution method would be required to turn that access into privilege escalation.

Does LegacyHive work remotely?

No. LegacyHive is a local, post-compromise vulnerability. An attacker must already have the ability to run code on the Windows system.

Which Windows versions are affected by LegacyHive?

The researcher claims that all currently supported Windows desktop and server versions are affected, including systems with the July 2026 updates. Microsoft has not confirmed the complete affected-products list.

Has Microsoft patched LegacyHive?

No dedicated LegacyHive patch or advisory is available. Microsoft says it is investigating the report and will update affected products when necessary.

Is LegacyHive being exploited in attacks?

There is no public evidence of active LegacyHive exploitation. Proof-of-concept source code is publicly available, which may increase the risk of further research and weaponization.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages