VYPR
researchPublished Jul 15, 2026· 1 source

LegacyHive 0-Day Allows Standard Windows Users to Load Arbitrary Registry Hives

A newly disclosed proof-of-concept exploit, LegacyHive, targets a Windows User Profile Service vulnerability, enabling standard users to load other users' registry hives and potentially escalate privileges.

A critical elevation-of-privilege vulnerability has been detailed through a proof-of-concept exploit named LegacyHive. This exploit targets the Windows User Profile Service, allowing a standard user to load another user's registry hive under their own registry classes root. Registry hives are crucial files that store configuration data for Windows, its services, applications, and user profiles. Improper access or manipulation of these hives can lead to significant security risks, including unauthorized access and privilege escalation.

The LegacyHive proof-of-concept, developed by researcher Nightmare-Eclipse, reportedly functions on all supported Windows desktop and server versions, even those with the July 2026 security updates installed. To mitigate immediate abuse, the publicly released exploit has been intentionally restricted. It requires credentials for a second standard user and the username of a third account, which could be an administrator. The exploit's source code and documentation were made available on GitHub shortly before its public disclosure.

When successfully executed, the target account's user hive is mounted within the current user's classes registry location. The original, unrestricted technique, as described by the researcher, did not require additional user credentials and was not limited to the UsrClass.dat hive, which typically holds file associations, shell settings, and COM configurations. The public version was simplified, but the underlying vulnerability allows for the loading of arbitrary hives.

This behavior is highly security-sensitive because registry hives contain critical values that dictate how Windows launches software, resolves COM objects, handles file types, and applies user-specific settings. An attacker who can manipulate the loading context of a privileged user's hive could uncover additional pathways for privilege escalation based on the system's local configuration and accessible registry data.

As of the disclosure, there is no specific CVE number assigned, nor has Microsoft issued an official advisory or patch directly addressing the LegacyHive vulnerability. Its reported compatibility with systems patched in July 2026 indicates that organizations should not assume that standard monthly security updates will resolve this particular issue.

Windows administrators are strongly advised to implement several security measures. These include restricting local access to only trusted users, diligently monitoring for any unusual profile-loading activities, and reviewing endpoint telemetry for unexpected accesses to user profile registry files such as NTUSER.DAT and UsrClass.dat. Security teams should also stay vigilant for official responses from Microsoft and conduct any testing of the proof-of-concept exploit exclusively within isolated and authorized environments.

The emergence of LegacyHive underscores the persistent risks posed by local privilege-escalation vulnerabilities within Windows. Exploits targeting core services responsible for managing user profile data remain a significant concern for system security, highlighting the need for continuous vigilance and prompt patching.

Synthesized by Vypr AI