A newly public zero-day vulnerability in the Windows User Profile Service (ProfSvc) allows a standard user account to load another user’s registry hive—including an administrator’s—without needing any special privileges. The proof-of-concept code, called LegacyHive, was released on July 14, 2026, by researcher Nightmare-Eclipse, and has been confirmed to work on fully patched Windows systems after the July 2026 cumulative updates. With no official fix or CVE from Microsoft, organizations must treat this as an active, unpatched local privilege-escalation risk.
A Zero-Day That Slips Past July’s Patches
LegacyHive exploits a fundamental design trust in how Windows handles user profiles. The ProfSvc service, which runs with SYSTEM-level privileges, is responsible for loading and managing per-user registry hives—files like NTUSER.DAT and UsrClass.dat that store settings, COM registrations, and shell data. The attack leverages a mismatch between system-level file operations and paths that an attacker can influence.
According to SOC Prime’s technical analysis, the exploit chain involves three steps: first, an attacker modifies the Local AppData registry value to point to a location they control; second, they use Windows Object Manager symbolic links to redirect the file path; and finally, an opportunistic lock (oplock) on a decoy file creates a narrow timing window during which the link is swapped. When ProfSvc attempts to load a hive, it follows the manipulated path and ends up mounting a target user’s registry data—all while running as SYSTEM.
The public PoC, as verified by SecurityWeek, requires credentials for a second standard user account and then identifies a third target account (which can be an administrator). The result is that the target’s registry hive becomes available under the attacker’s own user profile. CrowdStrike noted that the released code was deliberately limited compared to the researcher’s claims, potentially restricting it to loading only UsrClass.dat rather than the full NTUSER.DAT. However, even that limited access can expose sensitive COM registration data and configuration details.
Crucially, the vulnerability was not introduced in July’s patches—those updates simply do not address it. Admins who have deployed the latest Patch Tuesday fixes are not protected against LegacyHive.
How a System Service Becomes an Attacker’s Assistant
At its core, LegacyHive is a classic “confused deputy” attack. The ProfSvc service has legitimate authority to load registry hives, but it can be tricked into exercising that authority on behalf of an unprivileged caller. The problem isn’t that ProfSvc mishandles a particular API call; it’s that the service implicitly trusts path information that a standard user can manipulate.
The Windows registry is a hierarchical database, and loading a hive means mapping a file on disk into a branch of the registry tree. ProfSvc performs this operation frequently during logons and profile operations. Under normal circumstances, the process is secure because the service resolves paths within the user’s own profile directory. LegacyHive breaks this assumption by inserting a detour—a symbolic link at a carefully timed moment—so that the resolved path points to another user’s hive.
The PoC demonstrates that this can be done without a race condition that depends on luck. The oplock acts as a precise trigger, freezing the file operation at exactly the right instant for the attacker to swap the symlink. Researchers have long warned that TOCTOU (time-of-check-to-time-of-use) vulnerabilities in privileged services are especially dangerous because they let low-privileged attackers leap across security boundaries.
Assessing Your Risk: It’s All About the Environment
For the average home user with a single account and no other local users, LegacyHive poses little direct risk. The attack requires multiple local accounts to pivot from one to another, and if you’re the only user, there’s no high-value target to reach. However, the initial foothold still matters: an attacker must run code on the machine first. That means phishing, malicious downloads, or browser exploits remain the primary infection vectors—LegacyHive merely amplifies the damage if any of those succeeds.
Power users and developers working on multi-user systems should take this seriously. If you share a workstation with other accounts, or if you use a machine that doubles as a test bed with different local profiles, the exploit could be used to jump from your account to someone else’s. Even a limited read of another user’s registry hive could expose stored credentials, application secrets, or configuration data that leads to further compromise.
For IT administrators, the threat is immediate and significant. Environments with shared desktops, Remote Desktop Session Host (RDSH) servers, jump boxes, VDI pools, or computer labs are prime targets. In these settings, a single compromised standard user account can become a vector for harvesting credentials from administrators who previously logged on, or for escalating to SYSTEM on a machine where sensitive management tools are installed. The fact that no patch exists forces a shift to detection and containment rather than prevention.
Microsoft Defender for Endpoint customers and others with EDR/SIEM tools should note that the July 2026 patch level is not a mitigation. Vulnerability scanners that rely on CVE IDs or KB numbers will not flag this issue, so tracking must be done manually by the vulnerability name, affected service, and behavioral indicators.
The Road to LegacyHive: A Vulnerable Intersection
The User Profile Service has been a trusted component of Windows for decades. Its design predates many modern security assumptions, and its operation as SYSTEM is a concession to the need to load and unload registry hives across multiple users—a task that inherently requires high privileges. Over the years, similar confused-deputy issues have appeared in other services; for example, the Windows Print Spooler has a long history of path-based privilege escalations.
LegacyHive was disclosed responsibly? The timeline is murky. The researcher published the PoC shortly after Microsoft’s July 2026 Patch Tuesday, suggesting either a failed coordination or a decision to release publicly when no fix was forthcoming. Microsoft has not commented or issued an advisory as of July 17, 2026. GovCERT.HK has already issued a high-threat alert, signaling that the vulnerability is being taken seriously by national cybersecurity agencies.
This silence from Microsoft puts defenders in a bind. The usual response to a zero-day—patch—is unavailable. Instead, the community must rely on threat intelligence sharing and vendor-independent mitigations.
Immediate Defensive Steps Until Microsoft Ships a Fix
Without a patch, containment depends on detecting the exploit’s side effects and preventing an attacker from running code in the first place. The following steps are drawn from SOC Prime’s recommendations and community best practices:
- Monitor for abnormal registry hive loads. Look for RegLoadKey operations where the source process is svchost.exe hosting the User Profile Service, and the target hive does not match an interactive logon. Unusual access to another user’s NTUSER.DAT or UsrClass.dat should raise an alert.
- Watch for suspicious object manager activity. The exploit creates symbolic links under \BaseNamedObjects\Restricted and manipulates directories in the Object Manager namespace. EDR telemetry that detects reparse-point creation, oplock usage, or unusual path patterns from standard-user processes is invaluable.
- Harden against local code execution. Even though LegacyHive is a post-compromise escalation, blocking the initial code run can break the attack chain. Application control—Windows Defender Application Control (WDAC) or AppLocker—prevents untrusted executables, scripts, and installers from launching. WDAC is especially powerful as it can be enforced at the kernel level.
- Reduce the attack surface of privileged accounts. Minimize the number of local administrators on multi-user machines. Avoid leaving privileged domain accounts logged into shared systems. If an admin must log on, ensure they sign out rather than just locking the session.
- Extend telemetry retention. A race-condition exploit may fail several times before succeeding. A single anomalous event might be dismissed as noise, but a cluster of attempts over a short window is a stronger indicator. Keep logs for at least a few days longer than usual if you suspect targeting.
Application control merits special emphasis. While it won’t fix the underlying ProfSvc vulnerability, a robust WDAC policy that allows only signed, trusted applications can make it nearly impossible for an attacker to run the PoC or a weaponized variant. For organizations that cannot immediately deploy WDAC, AppLocker’s path- and publisher-based rules offer a lighter-weight alternative, albeit more easily bypassed.
What Comes Next
Microsoft will eventually release a patch, though the complexity of the fix may delay it. SOC Prime’s analysis suggests that a proper remedy requires architectural changes: path canonicalization to prevent device or Object Manager namespace prefixes, and performing I/O in the user’s security context rather than SYSTEM whenever possible. A rushed patch that only blocks the current PoC technique would likely be bypassed.
In the interim, keep an eye on Microsoft’s Security Response Center for an advisory that will assign a CVE and confirm affected builds. Until then, LegacyHive remains a recognized, unpatched escalation vector that requires manual monitoring. The proof of concept is public, so assume any moderately skilled attacker can adapt it. Treat the User Profile Service as a security boundary to be defended, not a black box to be trusted.