## https://sploitus.com/exploit?id=34578D73-B316-53C8-8C6A-F151AA8179BF
# Windows AppResolver LPE PoC
Proof of concept for an AppResolver authorization issue fixed in the July 2026 Windows security update and investigated in connection with CVE-2026-50454, a Windows User Interface Core elevation-of-privilege vulnerability.
The PoC starts from a normal, non-elevated process belonging to a local administrator and opens an interactive command prompt as `NT AUTHORITY\SYSTEM`. It does not demonstrate elevation from a standard, non-administrator account.
## Demo
[](media/cve50454.webm)
## Write-up
The full technical walkthrough is available at
[Windows AppResolver LPE: From AppContainer to SYSTEM](https://davidcarliez.github.io/blog/windows-appresolver-lpe-to-system/).
## Root cause
On vulnerable builds, `Windows.UI.Storage.dll` allows a zero-capability AppContainer to call the private `AppResolverActivationArgsFactory` without the required authorization check. The attacker supplies an AppResolver provider for the `ms-settings` protocol and calls `SetAsDefault`, causing Windows to create a valid protected association for the attacker's ProgID.
Launching the auto-elevated `fodhelper.exe` then invokes the registered handler with a High-integrity administrator token. The PoC uses that token to create a temporary service, whose process launches the final interactive SYSTEM shell.
The update adds capability checks for `applicationDefaults` or `shellExperience` before the factory creates the AppResolver object. A zero-capability AppContainer is rejected with `E_ACCESSDENIED` (`0x80070005`).
> **CVE attribution:** [Microsoft's public record for CVE-2026-50454](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50454) describes
> relative path traversal (CWE-23) leading to arbitrary system-file deletion.
> This PoC does not use relative path traversal and does not reproduce file
> deletion. It demonstrates a missing AppResolver capability check in the same
> component, fixed by the same update, with a reproducible vulnerable-versus-
> updated result. Without Microsoft's private case details, the exact
> root-cause attribution cannot be confirmed. This may be another consequence
> of the same issue, an adjacent issue fixed by the update, or a
> defense-in-depth change.
## Requirements
- x64 Windows 11 on a vulnerable build
- A local administrator account running a normal, non-elevated PowerShell window
- UAC and auto-elevation enabled
- An interactive console session
- No existing per-user `ms-settings` default association
- Visual Studio or Visual Studio Build Tools with Desktop development with C++ and a Windows SDK
Validated on Windows 11 25H2 build `26200.8737` with `Windows.UI.Storage.dll` version `10.0.26100.8737`. Build `26200.8875` rejects the trigger.
## Usage
Open a normal PowerShell window. Do not use **Run as administrator**.
```powershell
.\build.ps1
Set-ExecutionPolicy -Scope Process Bypass
.\run.ps1
```
A Command Prompt titled `CVE-2026-50454 SYSTEM Shell` should open. Verify the token inside it:
```cmd
whoami
whoami /groups
```
Expected identity:
```text
nt authority\system
```
Close the SYSTEM Command Prompt manually when finished. The scripts remove the temporary service, protocol registration, protected association, and AppContainer profile during normal cleanup.
## Build
The repository contains source code only. `build.ps1` discovers an installed Visual Studio toolchain and builds the three required x64 executables:
```powershell
.\build.ps1
```
Generated `.exe`, `.obj`, and `.pdb` files are excluded from version control.
## Fixed behavior
On a patched build, the trigger log at `C:\Users\Public\CVE50454\appcontainer_result.txt` should contain:
```text
CREATE_ARGS_HRESULT=0x80070005
```
No protected `ms-settings` association or elevated process should be created.