“If I can set up the system so that it runs my code when the admin user logs in,” the attacker has de facto administrator privileges, Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. “I don’t need to be an admin myself.”
In a post, he said that “the ability of a non-admin user to be able to modify the classes registry hive of an admin user is a pretty powerful primitive. Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.”
Dormann said that the exploit could possibly be chained to a separate one that gives direct access to an administrative account.
As explained in a post by a different analyst: “When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on (tautology, I know), it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITYSYSTEM. LegacyHive abuses this.”
Microsoft didn’t immediately respond to an email asking if it was aware of the zero-day or had plans to fix the underlying vulnerability.
For now, Windows users who want to protect their systems against HiveLegacy can run a detection script published by independent researcher Kevin Beaumont. Other defenses are to restrict local non-user account creation, monitor ProfSvc for unexpected hive loads, and track NTUSER.DAT/UsrClass.dat activity.










