ReadDirectoryChangesW() API function doesn't check user's privileges for subtree folders, making it's possible for unprivileged user to gather information about sensitive files.
vulners.com/securityvulns/securityvulns:doc:16139