A freshly disclosed Windows vulnerability nicknamed LegacyHive (also circulating under the name MSNightmare) gives a standard, non-administrator user a route to interfere with an administrator account’s registry data — and potentially ride that access all the way to admin-level code execution. No patch exists yet, and Microsoft says it is still evaluating the claims.
A Weakness in How Windows Loads Profiles
The bug lives in the Windows User Profile Service, known as ProfSvc, the background component responsible for mounting and unmounting a user’s registry hive whenever they log on or off. Each Windows account carries a hive file called UsrClass.dat that stores per-user application settings and file-type associations, and it is normally accessible only to that account.
According to the public proof-of-concept published by the MSNightmare research account on GitHub, LegacyHive tricks ProfSvc into loading another user’s UsrClass.dat hive into the attacker’s own session, under their own HKEY_CLASSES_ROOT. In effect, a second user’s private configuration data becomes visible and, more importantly, writable from an account that should have no business touching it.
From Read Access to Code Execution
Security researcher Will Dormann walked through a practical demonstration of the flaw. By running the LegacyHive tool while supplying the credentials of a second standard account and specifying the name of an administrator account, then launching the Registry Editor as that second user, a non-admin can reach directly into the admin’s Classes hive.
On its own, simply viewing that hive is not catastrophic — it does not hand over password hashes or credentials directly. The real danger is what a non-admin can quietly change once they have write access. Dormann showed that an attacker could remap something as simple as the .txt file association, swapping a text editor for calc.exe as a proof of concept.
Taken further, the same access lets an attacker overwrite COM objects or shell extensions that the administrator’s account loads automatically at sign-in. Because those components execute in the context of a legitimate admin session on the machine the admin actually uses, malicious code triggered this way runs with administrator privileges and looks like normal activity from that account — making it considerably harder for endpoint detection tools to flag as an attack.
How Attackers Get There
Reverse-engineering of the tool’s behavior, using process-monitoring utilities, shows the exploit initially attempts to open the target’s UsrClass.dat directly and receives an access-denied response, exactly as expected for a protected file. The interesting part is what happens next: a follow-up attempt made under an impersonated NT AUTHORITY\SYSTEM context succeeds, and the hive stays mounted and reachable to the attacker’s account afterward.
That pattern — using kernel-level impersonation and timing quirks around file or registry operations to sidestep access controls — echoes techniques documented in prior research into arbitrary file creation and classes-hive hijacking. LegacyHive appears to apply the same underlying trick specifically against ProfSvc.
The publicly released proof-of-concept is intentionally limited: it needs credentials for a second standard account, only targets the UsrClass.dat hive, and leaves out more generalized hive-loading logic. The researcher has indicated that the original, fuller exploit did not require a second account’s credentials at all and could coerce ProfSvc into loading arbitrary hives with SYSTEM-level impersonation, suggesting the real-world impact could be broader than what has been made public.
Who Is Affected and What to Do
Notably, LegacyHive reportedly still works against every currently supported Windows desktop and server edition, even after Microsoft’s July 2026 Patch Tuesday update, which addressed hundreds of other CVEs. No dedicated CVE identifier or security bulletin has been assigned to this issue at the time of writing. Microsoft’s public position is that it is aware of the report and investigating the claims, but organizations have no official fix to apply today.
Because exploitation requires the attacker to already have local access to a machine along with at least one non-admin account, this is a post-compromise privilege escalation risk rather than a remotely exploitable one. That does lower the bar for who can realistically be affected, but it remains highly relevant for shared workstations, terminal servers, and any environment where multiple people log into the same machine.
Until an official patch ships, defenders have a handful of practical mitigations available:
- Restrict interactive local logon rights for privileged accounts wherever possible.
- Segment administrator workstations away from systems used by standard, less-trusted accounts.
- Increase monitoring around unexpected modifications to registry hives, especially Classes and COM registration changes on admin profiles.
- Treat any system where LegacyHive or related MSNightmare-published tools are found as potentially already compromised, given the researcher’s track record of releasing working exploits against fully patched builds.
Given the researcher’s history with similar disclosures, security teams should not wait for an assigned CVE number before beginning to harden exposed systems against this technique.
Leave a Reply