LegacyHive mounts another user's Windows registry hive through path switching
A stripped proof of concept redirects Windows profile loading through Object Manager paths to mount a target user's UsrClass.dat hive from a standard-user context.
- 2026-07-16
- 7 min read
Operational layer / Use first
Detection & hunt kit
Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.
01 / DetectionWindows User Hive File Created Outside a User Profile PathDetects creation of ntuser.dat or UsrClass.dat outside a path containing the Windows Users directory. This behavior covers staging used by LegacyHive and similar copying of user registry hives into temporary or shared system locations.high / stableView detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1005
Required telemetry
- category
- file_event
- product
- windows
title: Windows User Hive File Created Outside a User Profile Path
id: 8fb9b2ee-cfa3-4c83-a4bc-b403c5a0cff7
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects creation of ntuser.dat or UsrClass.dat outside a path containing the Windows Users directory. This behavior covers staging used by LegacyHive and similar copying of user registry hives into temporary or shared system locations.
references:
- https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
- https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
category: file_event
product: windows
detection:
selection_hive:
TargetFilename|endswith:
- '\ntuser.dat'
- '\UsrClass.dat'
filter_profile_path:
TargetFilename|contains: '\Users\'
condition: selection_hive and not filter_profile_path
falsepositives:
- Approved profile backup, migration, repair, or forensic acquisition tools that copy user registry hives outside their normal profile paths
- Endpoint security or support tooling that temporarily stages hive files for offline inspection
level: high
tags:
- attack.collection
- attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
- File telemetry records creation or copying of registry hive files with the complete destination path and initiating process.
- Analysts can identify the creating user, process signer, destination permissions, and nearby profile activity.
02 / DetectionUser Local AppData Redirected to the Object Manager NamespaceDetects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.high / stableView detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1112
Required telemetry
- category
- registry_set
- product
- windows
title: User Local AppData Redirected to the Object Manager Namespace
id: bccc802b-83a1-4dae-a4bc-c7875afb9d23
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a live registry change that redirects the current user's Local AppData shell folder into the BaseNamedObjects Restricted namespace. The released LegacyHive proof of concept makes this edit offline, so the rule is intended to cover live-edit variants.
references:
- https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
- https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData'
selection_redirect:
Details|contains: '\GlobalRoot\BaseNamedObjects\Restricted'
condition: selection_value and selection_redirect
falsepositives:
- Authorized compatibility testing or security research that deliberately redirects shell folders through the Windows Object Manager namespace
- Specialized application virtualization or profile tooling with a documented Object Manager based redirection design
level: high
tags:
- attack.defense-evasion
- attack.t1112
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
- Registry-set telemetry records the complete target value path and the newly written data.
- Offline edits to ntuser.dat are not visible to this rule and require file telemetry or later hive-difference analysis.
03 / Threat huntAccess to Windows User Profile Hive FilesHunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.medium / experimentalView detailsMinimize
- Use
- Threat hunt
- Confidence state
- experimental
- Priority
- medium
- Review after
- 2026-08-15
Required telemetry
- product
- windows
- service
- security
ATT&CK / T1005
title: Access to Windows User Profile Hive Files
id: 820e3bb8-7fae-4986-a897-ba38b97c140f
status: experimental
author: FRAME ZERO
date: 2026-07-16
description: Hunts audited Windows object-access events for ntuser.dat or UsrClass.dat. Compare the subject account with the username in the object path and correlate explicit-credential use, logon, and process creation in the same short window before escalation.
references:
- https://www.threatlocker.com/blog/legacyhive-video-demo-and-analysis-of-windows-0-day-from-nightmareeclipse
- https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|endswith:
- '\ntuser.dat'
- '\AppData\Local\Microsoft\Windows\UsrClass.dat'
condition: selection
falsepositives:
- Normal Windows profile loading and unloading activity
- Authorized backup, migration, forensic acquisition, endpoint security, or support tooling that accesses user hive files
- Administrators investigating or repairing a user profile
level: medium
tags:
- attack.collection
- attack.t1005
related_publication: legacyhive-windows-profile-hive-path-switching
telemetry_assumptions:
- SACLs are narrowly configured on ntuser.dat and UsrClass.dat to produce Windows Security event 4663 without excessive noise.
- Event records preserve SubjectUserName, ObjectName, access type, process context, and logon identifiers for cross-user comparison.
- Analysts can correlate event IDs 4648, 4624, and 4688 within the same short time window.
Analysis
NightmareEclipse published LegacyHive after Microsoft's July 2026 Patch Tuesday. The stripped proof of concept uses Windows Object Manager path resolution and an opportunistic lock to mount a target user's UsrClass.dat hive in another standard user's registry context. The researcher states that it works on supported Windows desktop and server installations with the July 2026 patches. ThreatLocker reproduced and documented the sequence, while independent researchers Kevin Beaumont and Will Dormann confirmed that the released exploit works and remains unpatched.
The released code requires credentials for a helper account, a target username, and additional compilation steps. It exposes application data, Windows Explorer history, and other forensic artifacts in the mounted hive. The public proof of concept stops at hive access; it does not expose password hashes or provide an immediate SYSTEM shell. Administrator classes-hive access is a potentially useful post-compromise primitive. Dormann noted that an attacker could use the access to influence behavior when the administrator logs on or combine it with another weakness. The supplied evidence does not establish an exploitation campaign.
Microsoft told The Hacker News and Ars Technica that it is investigating the report. As of 16 July 2026, the evidence contains no CVE identifier, security advisory, patch, or vendor mitigation specific to LegacyHive.
A helper profile establishes the redirected path
LegacyHive creates a randomly named GUID directory directly below C:\. It grants Everyone GENERIC_ALL access to that staging directory and uses it for temporary copies of ntuser.dat and UsrClass.dat.
The code resolves NtCreateDirectoryObjectEx and NtCreateSymbolicLinkObject from ntdll.dll. It creates Object Manager directories below \BaseNamedObjects\Restricted, including a GUID-named shadow directory and a Microsoft directory. A Windows symbolic link initially points path resolution toward the GUID staging directory. The shadow directory provides a second route to the target user's real AppData\Local\Microsoft\Windows directory.
The process authenticates with the supplied helper credentials and impersonates that account. It reads the helper user's ntuser.dat into memory as a backup. The Offline Registry Library then changes the helper profile's Local AppData value under Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders to \\.\GlobalRoot\BaseNamedObjects\Restricted. The modified hive is saved in the staging directory and replaces the helper user's original ntuser.dat.
That edit redirects normal profile path construction into the Object Manager namespace. A request for %LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat reaches the attacker-controlled directory and symbolic-link structure instead of following the expected profile path directly.
An oplock switches the hive target during profile loading
LegacyHive copies the helper user's legitimate UsrClass.dat into the GUID directory and places a batch oplock on the copy. It then calls CreateProcessWithLogonW with LOGON_WITH_PROFILE, which asks Windows to load the helper user's profile hives.
The redirected path reaches the staged UsrClass.dat and triggers the oplock. While profile loading is paused, the code closes the symbolic link that points to the staging directory. Path resolution then falls through the shadow directory to C:\Users\<target>\AppData\Local\Microsoft\Windows\UsrClass.dat. Releasing the oplock lets profile loading continue against the target file, which Windows mounts in the helper account's classes-root context.
The proof of concept later restores the helper user's original ntuser.dat, deletes the staged hive files, and removes the temporary directory. This cleanup reduces the value of point-in-time inspection and makes short-window event correlation important.
Durable detections cover staging and path redirection
The first included Sigma rule detects ntuser.dat or UsrClass.dat created outside a path containing \Users\. It covers the released proof of concept's root-level staging and similar copies under temporary or shared system directories. Backup, migration, forensic, and profile-repair tools can produce the same behavior, so analysts must identify the creating process, user, destination permissions, and nearby profile activity.
The second durable rule detects a live registry-set event that redirects Local AppData to \GlobalRoot\BaseNamedObjects\Restricted. It can cover variants that change the value through the live registry. The released proof of concept edits the hive offline and may not generate that registry-set event, so this analytic complements the file-staging rule instead of replacing it.
The experimental hunt selects Windows Security event 4663 records for access to ntuser.dat and UsrClass.dat. Analysts should compare the subject account with the username in the object path, then correlate event IDs 4648, 4624, and 4688 in the same short window. Profile loading, backup, endpoint security, migration, and support activity are expected sources of matches. The hunt requires SACLs on the protected files and remains exploratory until local baselines support tighter logic.
Telemetry and response priorities
Apply narrowly scoped auditing to C:\Users\*\ntuser.dat and C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat for writes, deletes, permission or ownership changes, replacement, and cross-user access. Retain Windows Security events 4648, 4624, 4688, 4663, and 4657 with enough identity and process context for correlation. File telemetry should record the creating process and complete target path, including short-lived files below C:\, %TEMP%, and %ProgramData%.
Investigations should look for a hive file created outside a profile, rapid replacement and restoration of ntuser.dat, explicit use of another local account, and access to a different user's UsrClass.dat within seconds. Preserve volatile and event evidence before remediation because the proof of concept removes its staging files during cleanup.
Microsoft has acknowledged the report. The collected evidence contains no advisory or patch guidance for LegacyHive. Existing controls should therefore focus on reducing unnecessary local account availability, protecting helper credentials, monitoring profile hives, and restricting untrusted local code execution. Ars also reports recommendations to restrict unnecessary local account creation and monitor the User Profile Service for unexpected hive loads. A match to a path, API name, or event ID alone does not establish exploitation.
Scope and limitations
The researcher repository and ThreatLocker analysis establish the behavior of the released proof of concept. Independent reporting adds validation from two vulnerability researchers and Microsoft's acknowledgment. The evidence does not establish active exploitation, affected organizations, a CVE identifier, a patch, or a complete privilege-escalation chain. The public code is deliberately reduced, requires helper credentials and additional build work, and is limited to UsrClass.dat. Claims that other hives can be mounted describe the researcher's unreleased version rather than behavior demonstrated by the public code.
The two durable rules cover visible staging and a possible live-registry variant. They do not observe Object Manager operations directly, prove that the subject accessed another user's data, or detect an offline hive edit when file telemetry is absent. The experimental hunt depends on SACL-backed object-access events and analyst comparison of identities and paths. The reported values have no per-value observation times and describe a proof of concept rather than campaign infrastructure.
Reported IOCs
View detailsMinimize
The values below are code artifacts, local path patterns, APIs, and telemetry pivots from the released proof of concept and ThreatLocker's analysis. They are not observed campaign infrastructure. Neither source supplies per-value observation times. Defenders should validate them against local event timing and expected administrative activity.
| Value | Type | Context |
|---|---|---|
C:\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\ | File path pattern | GUID-named staging directory created below the system drive root |
C:\<GUID>\ntuser.dat | File path pattern | Modified helper-user hive saved in staging |
C:\<GUID>\UsrClass.dat | File path pattern | Decoy helper-user hive used to trigger the oplock |
C:\Users\<secondary account>\ntuser.dat | File path pattern | Helper profile hive replaced and later restored |
C:\Users\<target>\AppData\Local\Microsoft\Windows\UsrClass.dat | File path pattern | Target hive selected after the path switch |
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | Registry key | Offline-edited helper profile key |
Local AppData | Registry value | Value redirected into the Object Manager namespace |
\\.\GlobalRoot\BaseNamedObjects\Restricted | Object Manager path | Replacement value used for Local AppData |
\BaseNamedObjects\Restricted\Microsoft | Object Manager path | Directory containing the first Windows symbolic link |
\BaseNamedObjects\Restricted\{GUID} | Object Manager path pattern | GUID shadow directory used for fallback resolution |
Hive loaded, press any key to unload and exit. | Program string | Success message in the released proof of concept |
oplock triggered ! | Program string | Message emitted when the decoy hive oplock fires |
NtCreateDirectoryObjectEx | Windows API | Creates Object Manager directory objects |
NtCreateSymbolicLinkObject | Windows API | Creates Object Manager symbolic links |
CreateProcessWithLogonW | Windows API | Starts a process while requesting helper profile loading |
LogonUser | Windows API | Authenticates the helper account |
ImpersonateLoggedOnUser | Windows API | Changes the thread context to the helper account |
RegOpenUserClassesRoot | Windows API | Checks the loaded classes-root hive |
OROpenHiveByHandle | Offline Registry API | Opens the helper hive for offline editing |
OROpenKey | Offline Registry API | Opens the User Shell Folders key |
ORSetValue | Offline Registry API | Changes Local AppData |
ORSaveHive | Offline Registry API | Saves the modified helper hive |
4648 | Windows event ID | Explicit credentials used; correlate the account and source process |
4624 | Windows event ID | Successful logon; correlate the resulting session |
4688 | Windows event ID | Process creation; review parent, child, user, and command line |
4663 | Windows event ID | Object access to audited profile hive files |
4657 | Windows event ID | Registry value modification; may cover live variants rather than the offline edit |
TL.EV.1827 | ThreatLocker policy | Vendor detection identified in the analysis |
Sources
Evidence register- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesdaysecondary
- LegacyHive: Video demo and analysis of Windows 0-day from NightmareEclipseresearch
- Windows 0-day drops the same day Microsoft releases record number of patchessecondary
- LegacyHive: Windows user profile service arbitrary hive load elevation of privileges vulnerabilityprimary