1 comments

  • marak830 an hour ago

    NightCrawler released another window's vuln.

    From what I can understand of it:

    * Read the target user's NTUSER.DAT hive into memory as a backup.

    * Open the hive offline using the Offline Registry (offreg) API.

    * Modify HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData to point at \\.\GlobalRoot\BaseNamedObjects\Restricted.

    * Save the modified hive and replace the original NTUSER.DAT.

    * Copy the user's UsrClass.dat into the temporary working directory.

    * Acquire a batch oplock on the copied UsrClass.dat to synchronize execution with profile loading.

    * Start a suspended process using CreateProcessWithLogonW(..., LOGON_WITH_PROFILE, ...), triggering the User Profile Service to load the profile.

    * Wait for the oplock to break when Windows attempts to access UsrClass.dat

    https://blog.projectnightcrawler.dev/posts/2026-07-14-legacy...

    update: formatting :s