HiveNightmare a.k.a. SeriousSAM – anybody can read the registry in Windows 10

It amazes me that Microsoft haven&#x27;t replaced the Registry with a simple directory structure, not that it would help for this particular bug, but it would surely be an improvement. I maintain a library for accessing the registry from Linux (<a href="https:&#x2F;&#x2F;github.com&#x2F;libguestfs&#x2F;hivex" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;libguestfs&#x2F;hivex</a>) and after writing it I also wrote this screed about how it sucks in just about every way possible:<p><a href="https:&#x2F;&#x2F;rwmj.wordpress.com&#x2F;2010&#x2F;02&#x2F;18&#x2F;why-the-windows-registry-sucks-technically&#x2F;" rel="nofollow">https:&#x2F;&#x2F;rwmj.wordpress.com&#x2F;2010&#x2F;02&#x2F;18&#x2F;why-the-windows-regist...</a>

I am legitimately not sure if this is a bug or a feature.<p>I&#x27;ll take all the side-channels I can get though. These &quot;exploits&quot; are really useful for regaining control over my own PC.<p>Just yesterday I learned how to Run-As TrustedInstaller, and that let me remove a lot of unwanted bullshit on my windows 10 install.

Not willing to &quot;sign in with Google&quot;. Didn&#x27;t read (just the comments).

Possibly I am missing something, but the use of volume shadow copies or direct (RAW) disk access to retrieve particular files that are &quot;in use&quot; is a long time established possibility.<p>Extents and Rawcopy were initially written several years ago:<p><a href="http:&#x2F;&#x2F;reboot.pro&#x2F;files&#x2F;file&#x2F;316-extents&#x2F;" rel="nofollow">http:&#x2F;&#x2F;reboot.pro&#x2F;files&#x2F;file&#x2F;316-extents&#x2F;</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;jschicht&#x2F;RawCopy" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jschicht&#x2F;RawCopy</a><p>Or is there something new specific to Windows 10?

&quot;To keep reading this story, get the free app or log in.&quot; FUCK. YOU. Remember when people just published informative and thoughtful stuff online without expecting monetization? Yeah, I and Pepperidge Farm remember, but it seems to have become a lost art. It&#x27;s worth it to forgo this article, no matter how interesting it seemed to me, to encourage the author and others to publish their blogs to be readable by all.

An operating system can never fully escape its heritage.

&gt; There’s no patches, it’s a zero day.<p>Seems that MS just released articles on how to prevent it but no update&#x2F;patch.<p>Perhaps it&#x27;s hard to fix, i.e., too many things on windows rely on it?

It&#x27;s not a bug! It&#x27;s clearly a feature!

TL;DR:<p>Some Windows configuration have bad permissions on their SAM database. If a standard user has access to shadow copies (VSS), this can lead to privilege escalation.<p>Microsoft recommends to [1]:<p>1) Restrict access to the contents of %windir%\system32\config: - Command Prompt (Run as administrator): icacls %windir%\system32\config*.* &#x2F;inheritance:e - Windows PowerShell (Run as administrator): icacls $env:windir\system32\config*.* &#x2F;inheritance:e<p>2) Delete Volume Shadow Copy Service (VSS) shadow copies: - Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. - Create a new System Restore point (if desired).<p>--<p>Also, please note that some authorities seem to adress this subject carefully. The French national cybersecurity agency (ANSSI) has for instance published a News bulletin [2] but no &quot;real&quot; Security bulletin of this vulnerability [3].<p>In its News bulletin, the ANSSI specifies that it also affects Windows Vista RTM :).<p>However, the ANSSI also says that deleting VSS entries (step 2 of Microsoft recommendations) &quot;must be decided after evaluating the advantages and disadvantages with regard to the risks, in particular because there may be other possibilities for privilege escalation depending on the level of security of your information system.&quot;<p>[1] <a href="https:&#x2F;&#x2F;msrc.microsoft.com&#x2F;update-guide&#x2F;vulnerability&#x2F;CVE-2021-36934" rel="nofollow">https:&#x2F;&#x2F;msrc.microsoft.com&#x2F;update-guide&#x2F;vulnerability&#x2F;CVE-20...</a><p>[2] <a href="https:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;actualite&#x2F;CERTFR-2021-ACT-031&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;actualite&#x2F;CERTFR-2021-ACT-031&#x2F;</a><p>[3] <a href="https:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;alerte&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cert.ssi.gouv.fr&#x2F;alerte&#x2F;</a>

I am confused how having read access to the registry allows local privilege escalation. As a Linux user, having read access to the registry sounds like having read access to &#x2F;etc, which every user already has. What sensitive data is stored in SAM that allows that?

First commit was 5 days ago. july 15 which wasn&#x27;t patch Tuesday... Which means it wasn&#x27;t an 0day... Stop getting this wrong!

I thought there was also a way to schedule a copy of a file at boot time...something that installers use to copy&#x2F;delete locked files.

Paywalled. I don&#x27;t understand why people published to Medium.

So one of the most wonderful things about relying on their proprietary closed source operating system is that you can&#x27;t have external code audits. You just kind of wait for ethical people to come forward and explain bugs they&#x27;ve found and wonder, 1, how long has it been there, 2, how long have bad actors known about this, 3, how many other bugs are just like this or worse that they haven&#x27;t found yet, 4, do I need to recreate VM images or can I trust the internal patch process to get it installed before I&#x27;ve been exploited, 5, does the patch actually fix the underlying security flaw or is it something they&#x27;re calling a &quot;feature&quot; now that will always be an issue... I&#x27;m so grateful to not be a janitor for Microsoft Windows software anymore.