From c17211a7fc1dc7b014ba7d86088639950d85a201 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 17 Mar 2026 02:01:27 +0000 Subject: [PATCH] Add content from: RIP RegPwn --- src/SUMMARY.md | 1 + .../README.md | 6 ++ ...cessibility-registry-propagation-regpwn.md | 83 +++++++++++++++++++ .../uiaccess-admin-protection-bypass.md | 8 ++ 4 files changed, 98 insertions(+) create mode 100644 src/windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 7f03a949a0b..8238d566b4f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -279,6 +279,7 @@ - [Semanagevolume Perform Volume Maintenance Tasks](windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md) - [Service Triggers](windows-hardening/windows-local-privilege-escalation/service-triggers.md) - [Telephony Tapsrv Arbitrary Dword Write To Rce](windows-hardening/windows-local-privilege-escalation/telephony-tapsrv-arbitrary-dword-write-to-rce.md) + - [Secure Desktop Accessibility Registry Propagation LPE (RegPwn)](windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md) - [Uiaccess Admin Protection Bypass](windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md) - [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md) - [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md) diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 6d063ff500a..3c15630f25f 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -50,6 +50,12 @@ UIAccess processes launched through `RAiLaunchAdminProcess` can be abused to rea uiaccess-admin-protection-bypass.md {{#endref}} +Secure Desktop accessibility registry propagation can be abused for an arbitrary SYSTEM registry write (RegPwn): + +{{#ref}} +secure-desktop-accessibility-registry-propagation-regpwn.md +{{#endref}} + ## System Info ### Version info enumeration diff --git a/src/windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md b/src/windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md new file mode 100644 index 00000000000..bddf080a139 --- /dev/null +++ b/src/windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md @@ -0,0 +1,83 @@ +# Secure Desktop Accessibility Registry Propagation LPE (RegPwn) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +Windows Accessibility features persist user configuration under HKCU and propagate it into per-session HKLM locations. During a **Secure Desktop** transition (lock screen or UAC prompt), **SYSTEM** components re-copy these values. If the **per-session HKLM key is writable by the user**, it becomes a privileged write choke point that can be redirected with **registry symbolic links**, yielding an **arbitrary SYSTEM registry write**. + +The RegPwn technique abuses that propagation chain with a small race window stabilized via an **opportunistic lock (oplock)** on a file used by `osk.exe`. + +## Registry Propagation Chain (Accessibility -> Secure Desktop) + +Example feature: **On-Screen Keyboard** (`osk`). The relevant locations are: + +- **System-wide feature list**: + - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs` +- **Per-user configuration (user-writable)**: + - `HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk` +- **Per-session HKLM config (created by `winlogon.exe`, user-writable)**: + - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session\ATConfig\osk` +- **Secure desktop/default user hive (SYSTEM context)**: + - `HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk` + +Propagation during a secure desktop transition (simplified): + +1. **User `atbroker.exe`** copies `HKCU\...\ATConfig\osk` to `HKLM\...\Session\ATConfig\osk`. +2. **SYSTEM `atbroker.exe`** copies `HKLM\...\Session\ATConfig\osk` to `HKU\.DEFAULT\...\ATConfig\osk`. +3. **SYSTEM `osk.exe`** copies `HKU\.DEFAULT\...\ATConfig\osk` back to `HKLM\...\Session\ATConfig\osk`. + +If the session HKLM subtree is writable by the user, step 2/3 provide a SYSTEM write through a location the user can replace. + +## Primitive: Arbitrary SYSTEM Registry Write via Registry Links + +Replace the user-writable per-session key with a **registry symbolic link** that points to an attacker-chosen destination. When the SYSTEM copy occurs, it follows the link and writes attacker-controlled values into the arbitrary target key. + +Key idea: + +- Victim write target (user-writable): + - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session\ATConfig\osk` +- Attacker replaces that key with a **registry link** to any other key. +- SYSTEM performs the copy and writes into the attacker-chosen key with SYSTEM permissions. + +This yields an **arbitrary SYSTEM registry write** primitive. + +## Winning the Race Window with Oplocks + +There is a short timing window between **SYSTEM `osk.exe`** starting and writing the per-session key. To make it reliable, the exploit places an **oplock** on: + +``` +C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml +``` + +When the oplock triggers, the attacker swaps the per-session HKLM key for a registry link, lets the SYSTEM write land, then removes the link. + +## Example Exploitation Flow (High Level) + +1. Get current **session ID** from the access token. +2. Start a hidden `osk.exe` instance and sleep briefly (ensure the oplock will trigger). +3. Write attacker-controlled values to: + - `HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk` +4. Set an **oplock** on `C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml`. +5. Trigger **Secure Desktop** (`LockWorkstation()`), causing SYSTEM `atbroker.exe` / `osk.exe` to start. +6. On oplock trigger, replace `HKLM\...\Session\ATConfig\osk` with a **registry link** to an arbitrary target. +7. Wait briefly for the SYSTEM copy to complete, then remove the link. + +## Converting the Primitive to SYSTEM Execution + +One straightforward chain is to overwrite a **service configuration** value (e.g., `ImagePath`) and then start the service. The RegPwn PoC overwrites the `ImagePath` of **`msiserver`** and triggers it by instantiating the **MSI COM object**, resulting in **SYSTEM** code execution. + +## Related + +For other Secure Desktop / UIAccess behaviors, see: + +{{#ref}} +uiaccess-admin-protection-bypass.md +{{#endref}} + +## References + +- [RIP RegPwn](https://www.mdsec.co.uk/2026/03/rip-regpwn/) +- [RegPwn PoC](https://github.com/mdsecactivebreach/RegPwn) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md b/src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md index 240e78534f9..0cd5fac940d 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md +++ b/src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md @@ -52,6 +52,14 @@ Get-AccessibleFile -Win32Path $paths -Access Execute,WriteData ` - Run as Administrator for broader visibility; set `-ProcessId` to a low-priv process to mirror that token’s access. - Filter manually to exclude known disallowed subdirectories before using candidates with `RAiLaunchAdminProcess`. +## Related + +Secure Desktop accessibility registry propagation LPE (RegPwn): + +{{#ref}} +secure-desktop-accessibility-registry-propagation-regpwn.md +{{#endref}} + ## References - [Bypassing Administrator Protection by Abusing UI Access](https://projectzero.google/2026/02/windows-administrator-protection.html) - [GetProcessHandleFromHwnd (GPHFH) Deep Dive](https://projectzero.google/2026/02/gphfh-deep-dive.html)