Blackfort Technology
Threat BriefingJuly 16, 2026·Christian Gebhardt

LegacyHive: Windows Zero-Day in the User Profile Service — Detection Without a Patch

An unpatched Windows zero-day in the User Profile Service lets standard users load foreign registry hives. No patch — here is how to detect and contain the attack.

Follow Blackfort on LinkedIn

Security incidents, technical analyses and insights from the field — delivered to your LinkedIn feed.

Follow now →
Abstract depiction of a Windows registry hive being loaded into a foreign user context by a non-privileged process

A standard user reading and manipulating an administrator's registry — without an exploit chain, but through a legitimate Windows service. That is exactly what LegacyHive demonstrates, and Microsoft has not yet shipped a patch for it.

Two-minute analysis: how LegacyHive loads foreign registry hives and how the attack can be detected without a patch.

On July 14, 2026, the researcher Nightmare-Eclipse (new alias MSNightmare) published the LegacyHive PoC. It exploits a weakness in the Windows User Profile Service (ProfSvc) and the way it loads registry hives: through a finely timed path-switching trick, an ordinary standard user mounts another user's registry hive — including an administrator's — into their own HKU\…\Classes (Current User Classes Root). From there, escalation up to full system takeover is possible.

Why This Is Serious

  1. 1Works on all supported Windows versions — including the July 2026 Patch Tuesday level. The regular monthly update does not close the gap.
  2. 2No CVE, no Microsoft advisory, no patch (as of this article). Confirmed exploitation in the wild has not yet been documented.
  3. 3The PoC is deliberately stripped down: it currently requires a second standard-user credential and a third username. The author stresses that the original needed no foreign credentials and was not limited to usrclass.dat — so the public picture rather understates the real reach.

What Matters Now: Detection

Without a patch, detection is the primary countermeasure. Our lab analysis (in an isolated environment freshly set up per topic) reveals the reliable indicators:

  • Strongest IOC: a hive load in which a foreign user hive is loaded into HKU\S-1-5-21-…_Classes — by a process that is not a Windows system service (not svchost/lsass/services/winlogon).
  • Additionally: access to a foreign NTUSER.DAT/UsrClass.dat (C:\Users\<other>\…) by an atypical process.
  • We ship concrete rules: a Sysmon configuration for the relevant registry and file events, and a Wazuh detection rule (level 12, MITRE T1547.001/T1055) that fires on exactly this pattern.
Wazuh rule – LegacyHive detection
<rule id="100300" level="12">
  <if_sid>61614,61615</if_sid>
  <field name="win.eventdata.targetObject" type="pcre2">(?i)(?:\\+REGISTRY\\+USER\\+|HKU\\+)S-1-5-21-[0-9-]+_Classes</field>
  <field name="win.eventdata.image" negate="yes" type="pcre2">(?i)\\(svchost|lsass|services|winlogon|csrss|wininit)\.exe$</field>
  <description>LegacyHive: foreign user hive into HKU\...\Classes by non-privileged process</description>
  <mitre><id>T1547.001</id><id>T1055</id></mitre>
</rule>
Validated in the lab

We validated this rule in an isolated lab environment against real Sysmon events — the hive-load access by a non-system process reliably triggered a level 12 alert.

Hardening While No Patch Exists

  • Least privilege for local standard accounts; no shared standard credentials (the PoC needs a second account).
  • Monitor and alert on the IOCs above with high priority until Microsoft ships a fix.
  • Ensure accountability: whoever performs privileged actions must be logged in a tamper-evident way — especially for a technique that abuses administrator context.

How We Support You

For that last point, it pays to look at your own evidence and access architecture: with our Independent Log Vault, security-relevant events land in a tamper-proof store, independent of the administrators being logged — precisely what an escalation via foreign hives would otherwise blur. And our Privileged Access Bridge consolidates controlled, fully audited administrative access. If you want to set up detection in a structured way, an external ISO (information security officer) and our detection-centric approach help turn IOCs into robust alerts.

Sources

Disclaimer

Not legal advice. This article describes publicly available research for detection and protection purposes; it contains no instructions for exploitation.

Kontakt aufnehmen

IT Security for your organization

Blackfort Technology guides organizations through NIS2 compliance, OT security, and the protection of critical infrastructures – from analysis to implementation.