Intelligence / TIPublic intelligence

LegacyHive mounts another user's Windows registry hive through path switching

A stripped proof of concept redirects Windows profile loading through Object Manager paths to mount a target user's UsrClass.dat hive from a standard-user context.

Published
2026-07-16
Reading time
7 min read

Operational layer / Use first

Detection & hunt kit

Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.

01 / DetectionWindows User Hive File Created Outside a User Profile PathDetects creation of ntuser.dat or UsrClass.dat outside a path containing the Windows Users directory. This behavior covers staging used by LegacyHive and similar copying of user registry hives into temporary or shared system locations.high / stableView detailsMinimize
Use
Detection
Confidence state
stable
Priority
high
ATT&CK
T1005

Required telemetry

category
file_event
product
windows
Sigma sourceInline / YAML
title: Windows User Hive File Created Outside a User Profile Path
id: 8fb9b2ee-cfa3-4c83-a4bc-b403c5a0cff7
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects creation of ntuser.dat or UsrClass.dat outside a path containing the Windows Users directory. This behavior covers staging used by LegacyHive and similar copying of user registry hives into temporary or shared system locations.
references:
  - https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
  - https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
  category: file_event
  product: windows
detection:
  selection_hive:
    TargetFilename|endswith:
      - '\ntuser.dat'
      - '\UsrClass.dat'
  filter_profile_path:
    TargetFilename|contains: '\Users\'
  condition: selection_hive and not filter_profile_path
falsepositives:
  - Approved profile backup, migration, repair, or forensic acquisition tools that copy user registry hives outside their normal profile paths
  - Endpoint security or support tooling that temporarily stages hive files for offline inspection
level: high
tags:
  - attack.collection
  - attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
  - File telemetry records creation or copying of registry hive files with the complete destination path and initiating process.
  - Analysts can identify the creating user, process signer, destination permissions, and nearby profile activity.
02 / DetectionUser Local AppData Redirected to the Object Manager NamespaceDetects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.high / stableView detailsMinimize
Use
Detection
Confidence state
stable
Priority
high
ATT&CK
T1112

Required telemetry

category
registry_set
product
windows
Sigma sourceInline / YAML
title: User Local AppData Redirected to the Object Manager Namespace
id: bccc802b-83a1-4dae-a4bc-c7875afb9d23
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.
references:
  - https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
  - https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
  category: registry_set
  product: windows
detection:
  selection_value:
    TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData'
  selection_redirect:
    Details|contains: '\GlobalRoot\BaseNamedObjects\Restricted'
  condition: selection_value and selection_redirect
falsepositives:
  - Authorized compatibility testing or security research that deliberately redirects shell folders through the Windows Object Manager namespace
  - Specialized application virtualization or profile tooling with a documented Object Manager based redirection design
level: high
tags:
  - attack.defense-evasion
  - attack.t1112
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
  - Registry-set telemetry records the complete target value path and the newly written data.
  - Offline edits to ntuser.dat are not visible to this rule and require file telemetry or later hive-difference analysis.
03 / Threat huntAccess to Windows User Profile Hive FilesHunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.medium / experimentalView detailsMinimize
Use
Threat hunt
Confidence state
experimental
Priority
medium
Review after
2026-08-15

Required telemetry

product
windows
service
security

ATT&CK / T1005

Sigma sourceInline / YAML
title: Access to Windows User Profile Hive Files
id: 820e3bb8-7fae-4986-a897-ba38b97c140f
status: experimental
author: FRAME ZERO
date: 2026-07-16
description: Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.
references:
  - https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
  - https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4663
    ObjectName|endswith:
      - '\ntuser.dat'
      - '\AppData\Local\Microsoft\Windows\UsrClass.dat'
  condition: selection
falsepositives:
  - Normal Windows profile loading and unloading activity
  - Authorized backup, migration, forensic acquisition, endpoint security, or support tooling that accesses user hive files
  - Administrators investigating or repairing a user profile
level: medium
tags:
  - attack.collection
  - attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
  - SACLs are narrowly configured on ntuser.dat and UsrClass.dat to produce Windows Security event 4663 without excessive noise.
  - Event records preserve SubjectUserName, ObjectName, access type, process context, and logon identifiers for cross-user comparison.
  - Analysts can correlate event IDs 4648, 4624, and 4688 within the same short time window.

Analysis

NightmareEclipse published LegacyHive after Microsoft's July 2026 Patch Tuesday. The stripped proof of concept uses Windows Object Manager path resolution and an opportunistic lock to mount a target user's UsrClass.dat hive in another standard user's registry context. The researcher states that it works on supported Windows desktop and server installations with the July 2026 patches. ThreatLocker reproduced and documented the sequence, while independent researchers Kevin Beaumont and Will Dormann confirmed that the released exploit works and remains unpatched.

The released code requires credentials for a helper account, a target username, and additional compilation steps. It exposes application data, Windows Explorer history, and other forensic artifacts in the mounted hive. The public proof of concept stops at hive access; it does not expose password hashes or provide an immediate SYSTEM shell. Administrator classes-hive access is a potentially useful post-compromise primitive. Dormann noted that an attacker could use the access to influence behavior when the administrator logs on or combine it with another weakness. The supplied evidence does not establish an exploitation campaign.

Microsoft told The Hacker News and Ars Technica that it is investigating the report. As of 16 July 2026, the evidence contains no CVE identifier, security advisory, patch, or vendor mitigation specific to LegacyHive.

A helper profile establishes the redirected path

LegacyHive creates a randomly named GUID directory directly below C:\. It grants Everyone GENERIC_ALL access to that staging directory and uses it for temporary copies of ntuser.dat and UsrClass.dat.

The code resolves NtCreateDirectoryObjectEx and NtCreateSymbolicLinkObject from ntdll.dll. It creates Object Manager directories below \BaseNamedObjects\Restricted, including a GUID-named shadow directory and a Microsoft directory. A Windows symbolic link initially points path resolution toward the GUID staging directory. The shadow directory provides a second route to the target user's real AppData\Local\Microsoft\Windows directory.

The process authenticates with the supplied helper credentials and impersonates that account. It reads the helper user's ntuser.dat into memory as a backup. The Offline Registry Library then changes the helper profile's Local AppData value under Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders to \\.\GlobalRoot\BaseNamedObjects\Restricted. The modified hive is saved in the staging directory and replaces the helper user's original ntuser.dat.

That edit redirects normal profile path construction into the Object Manager namespace. A request for %LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat reaches the attacker-controlled directory and symbolic-link structure instead of following the expected profile path directly.

An oplock switches the hive target during profile loading

LegacyHive copies the helper user's legitimate UsrClass.dat into the GUID directory and places a batch oplock on the copy. It then calls CreateProcessWithLogonW with LOGON_WITH_PROFILE, which asks Windows to load the helper user's profile hives.

The redirected path reaches the staged UsrClass.dat and triggers the oplock. While profile loading is paused, the code closes the symbolic link that points to the staging directory. Path resolution then falls through the shadow directory to C:\Users\<target>\AppData\Local\Microsoft\Windows\UsrClass.dat. Releasing the oplock lets profile loading continue against the target file, which Windows mounts in the helper account's classes-root context.

The proof of concept later restores the helper user's original ntuser.dat, deletes the staged hive files, and removes the temporary directory. This cleanup reduces the value of point-in-time inspection and makes short-window event correlation important.

Durable detections cover staging and path redirection

The first included Sigma rule detects ntuser.dat or UsrClass.dat created outside a path containing \Users\. It covers the released proof of concept's root-level staging and similar copies under temporary or shared system directories. Backup, migration, forensic, and profile-repair tools can produce the same behavior, so analysts must identify the creating process, user, destination permissions, and nearby profile activity.

The second durable rule detects a live registry-set event that redirects Local AppData to \GlobalRoot\BaseNamedObjects\Restricted. It can cover variants that change the value through the live registry. The released proof of concept edits the hive offline and may not generate that registry-set event, so this analytic complements the file-staging rule instead of replacing it.

The experimental hunt selects Windows Security event 4663 records for access to ntuser.dat and UsrClass.dat. Analysts should compare the subject account with the username in the object path, then correlate event IDs 4648, 4624, and 4688 in the same short window. Profile loading, backup, endpoint security, migration, and support activity are expected sources of matches. The hunt requires SACLs on the protected files and remains exploratory until local baselines support tighter logic.

Telemetry and response priorities

Apply narrowly scoped auditing to C:\Users\*\ntuser.dat and C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat for writes, deletes, permission or ownership changes, replacement, and cross-user access. Retain Windows Security events 4648, 4624, 4688, 4663, and 4657 with enough identity and process context for correlation. File telemetry should record the creating process and complete target path, including short-lived files below C:\, %TEMP%, and %ProgramData%.

Investigations should look for a hive file created outside a profile, rapid replacement and restoration of ntuser.dat, explicit use of another local account, and access to a different user's UsrClass.dat within seconds. Preserve volatile and event evidence before remediation because the proof of concept removes its staging files during cleanup.

Microsoft has acknowledged the report. The collected evidence contains no advisory or patch guidance for LegacyHive. Existing controls should therefore focus on reducing unnecessary local account availability, protecting helper credentials, monitoring profile hives, and restricting untrusted local code execution. Ars also reports recommendations to restrict unnecessary local account creation and monitor the User Profile Service for unexpected hive loads. A match to a path, API name, or event ID alone does not establish exploitation.

Scope and limitations

The researcher repository and ThreatLocker analysis establish the behavior of the released proof of concept. Independent reporting adds validation from two vulnerability researchers and Microsoft's acknowledgment. The evidence does not establish active exploitation, affected organizations, a CVE identifier, a patch, or a complete privilege-escalation chain. The public code is deliberately reduced, requires helper credentials and additional build work, and is limited to UsrClass.dat. Claims that other hives can be mounted describe the researcher's unreleased version rather than behavior demonstrated by the public code.

The two durable rules cover visible staging and a possible live-registry variant. They do not observe Object Manager operations directly, prove that the subject accessed another user's data, or detect an offline hive edit when file telemetry is absent. The experimental hunt depends on SACL-backed object-access events and analyst comparison of identities and paths. The reported values have no per-value observation times and describe a proof of concept rather than campaign infrastructure.

Reported IOCs

View detailsMinimize

The values below are code artifacts, local path patterns, APIs, and telemetry pivots from the released proof of concept and ThreatLocker's analysis. They are not observed campaign infrastructure. Neither source supplies per-value observation times. Defenders should validate them against local event timing and expected administrative activity.

ValueTypeContext
C:\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\File path patternGUID-named staging directory created below the system drive root
C:\<GUID>\ntuser.datFile path patternModified helper-user hive saved in staging
C:\<GUID>\UsrClass.datFile path patternDecoy helper-user hive used to trigger the oplock
C:\Users\<secondary account>\ntuser.datFile path patternHelper profile hive replaced and later restored
C:\Users\<target>\AppData\Local\Microsoft\Windows\UsrClass.datFile path patternTarget hive selected after the path switch
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersRegistry keyOffline-edited helper profile key
Local AppDataRegistry valueValue redirected into the Object Manager namespace
\\.\GlobalRoot\BaseNamedObjects\RestrictedObject Manager pathReplacement value used for Local AppData
\BaseNamedObjects\Restricted\MicrosoftObject Manager pathDirectory containing the first Windows symbolic link
\BaseNamedObjects\Restricted\{GUID}Object Manager path patternGUID shadow directory used for fallback resolution
Hive loaded, press any key to unload and exit.Program stringSuccess message in the released proof of concept
oplock triggered !Program stringMessage emitted when the decoy hive oplock fires
NtCreateDirectoryObjectExWindows APICreates Object Manager directory objects
NtCreateSymbolicLinkObjectWindows APICreates Object Manager symbolic links
CreateProcessWithLogonWWindows APIStarts a process while requesting helper profile loading
LogonUserWindows APIAuthenticates the helper account
ImpersonateLoggedOnUserWindows APIChanges the thread context to the helper account
RegOpenUserClassesRootWindows APIChecks the loaded classes-root hive
OROpenHiveByHandleOffline Registry APIOpens the helper hive for offline editing
OROpenKeyOffline Registry APIOpens the User Shell Folders key
ORSetValueOffline Registry APIChanges Local AppData
ORSaveHiveOffline Registry APISaves the modified helper hive
4648Windows event IDExplicit credentials used; correlate the account and source process
4624Windows event IDSuccessful logon; correlate the resulting session
4688Windows event IDProcess creation; review parent, child, user, and command line
4663Windows event IDObject access to audited profile hive files
4657Windows event IDRegistry value modification; may cover live variants rather than the offline edit
TL.EV.1827ThreatLocker policyVendor detection identified in the analysis

Sources

Evidence register
  1. Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesdaysecondary
  2. LegacyHive: Video demo and analysis of Windows 0-day from NightmareEclipseresearch
  3. Windows 0-day drops the same day Microsoft releases record number of patchessecondary
  4. LegacyHive: Windows user profile service arbitrary hive load elevation of privileges vulnerabilityprimary