Full Report
Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together
Analysis Summary
# Vulnerability: LegacyHive (Windows User Profile Service LPE)
## CVE Details
- **CVE ID**: N/A (Zero-day; no identifier assigned at time of reporting)
- **CVSS Score**: Not yet rated (Estimated High)
- **CWE**: CWE-284: Improper Access Control / CWE-269: Improper Privilege Management
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: All versions, including those fully patched up to July 2026 (based on researcher claims).
- **Configurations**: Systems running the Windows User Profile Service (`profsvc`).
## Vulnerability Description
LegacyHive is a local privilege escalation (LPE) vulnerability existing in the **Windows User Profile Service (`profsvc`)**. The flaw relates to how the service handles the loading of registry hives. Specifically, it abuses arbitrary registry hive loading, allowing a standard, non-privileged user to mount another user’s hive (including an Administrator’s) into their own `HKEY_CLASSES_ROOT`. This grants the attacker privileged read-write access to sensitive user configuration data, desktop settings, and environment variables.
## Exploitation
- **Status**: PoC available (Technically a "partial" PoC; zero-day status).
- **Complexity**: High (The public PoC is intentionally stripped back/limited; weaponization requires reversing the missing components).
- **Attack Vector**: Local (Requires an existing foothold on the machine).
## Impact
- **Confidentiality**: High (Access to other users' private registry hives and potentially credentials).
- **Integrity**: Medium (Allows modification of other users' registry settings/environment).
- **Availability**: Low (Primary impact is escalation and data access rather than system denial).
## Remediation
### Patches
- **None**: As of the report date, there is no official patch from Microsoft. The vulnerability was disclosed immediately after the July Patch Tuesday to maximize the "window of exposure."
### Workarounds
- **Strict Access Control**: Limit the ability of standard users to execute unapproved binaries.
- **Monitoring**: Increase auditing for unusual registry hive mounting activities, particularly involving `usrclass.dat`.
## Detection
- **Indicators of Compromise**: Monitoring for unexpected mounting of `usrclass.dat` or other user hives into a different user's `HKEY_CLASSES_ROOT`.
- **Detection methods**:
- Behavioral analysis of the `profsvc.dll` or `svchost.exe` (hosting `profsvc`) for unusual file handle requests to other user directories.
- Audit logs for registry hive loading events (Event ID 4657 or similar registry monitoring).
## References
- **Microsoft Documentation on Registry Hives**: hxxps[://]learn[.]microsoft[.]com/en-us/windows/win32/sysinfo/registry-hives
- **Original Report**: hxxps[://]www[.]theregister[.]com/2026/07/15/legacyhive_zero_day_microsoft/ [Hypothetical/Defanged based on context]