void Groom(HKEY hive) { for (int i = 0; i < 0x20; ++i) { wchar_t value[32]; swprintf(value, L“bin_%02d“, i); MakeBin(hive, value, 0x3FD8); RegDeleteKeyValueW(hive, NULL, value); // leaves holes for victim cells } }

</details>

Mara primitive ya uharibifu (overwrite/fill) inapopatikana, groom anahakikisha kwamba **target cell resides next to the sprayed holes**, ikiruhusu overwrites sahihi bila kutumia heap spraying.

## API-only access to privileged hives via misconfigured descendants

Windows hupima tu **ACL on the final component** ya registry path. Ikiwa descendant yoyote chini ya HKLM/HKU inampa `KEY_SET_VALUE`, `KEY_CREATE_SUB_KEY`, au `WRITE_DAC` watumiaji wenye idhini ndogo, unaweza kuifikia hata pale kila parent key imefungwa. Project Zero iligundua **>1000 such writable keys in HKLM on Windows 11**, ikiwa ni pamoja na entries zenye muda mrefu kama `HKLM\SOFTWARE\Microsoft\DRM` na matawi kadhaa ya `HKLM\SYSTEM`.

Mkakati wa kuorodhesha kwa vitendo:

1. Kutoka kwa muktadha wenye haki za juu, pitia `\Registry\Machine` na `\Registry\User`, ukidump security descriptor ya kila key. Hifadhi vitu ambavyo DACL inaruhusu SIDs zisizo na ruhusa.
2. Kama mtumiaji wa kawaida, jaribu `RegOpenKeyEx` na `KEY_SET_VALUE|KEY_CREATE_SUB_KEY` dhidi ya paths zilizorekodiwa. Open zilizofanikiwa ni malengo yanayoweza kutumika kwa hive corruption bugs ambazo zinahitaji data inayodhibitiwa na mshambuliaji katika system hives.
3. Dumisha cache ya open handles kwa ajili ya **stable writable locations** ili PoCs waweze moja kwa moja kuweka corrupted metadata.
```powershell
$targets = Get-ChildItem Registry::HKEY_LOCAL_MACHINE -Recurse |
Where-Object { (Get-Acl $_.PsPath).Access.IdentityReference -match 'S-1-5-32-545' } |
Select-Object -ExpandProperty PsPath

foreach ($path in $targets) {
try { Get-Item -Path $path -ErrorAction Stop | Out-Null }
catch {}
}

Once such a path is known, the exploit never needs offline hive tampering—standard registry APIs are enough to stage the corrupt cells inside privileged hives touched by SYSTEM services.

Cross-user hive abuse via HKCU\Software\Microsoft\Input\TypingInsights

Every user hive contains HKCU\Software\Microsoft\Input\TypingInsights, whose ACL grants KEY_ALL_ACCESS to Everyone (S-1-1-0). Until Microsoft tightens it, any user can:

• Jaza hive ya mtumiaji mwingine hadi kikomo cha 2 GiB, kusababisha kushindwa kwa logon au kulazimisha truncation ya hive (inayofaa kuathiri tabia ya allocator au DoS).
• Angusha corrupted cells ndani ya NTUSER.DAT ya watumiaji wengine, ukijiandaa kwa exploits za lateral zinazochochewa wakati mchakato wa mshambuliaji unaposoma key iliyoharibika.
• Badilisha differencing hives kwa sandboxed apps zinazotegemea per-user overlay hives, kuwafanya watumie metadata hatarishi.

Hii inafanya kuwa uharibifu wa hive utumike kwa lateral movement, siyo tu kuinua haki ndani ya akaunti hiyo hiyo.

Turning metadata corruption into paged pool overflows

Large registry values are stored in _CM_BIG_DATA records:

• _CM_KEY_VALUE.DataLength holds the logical size. Its high bit indicates whether the payload lives inside the cell or in big-data storage.
• _CM_BIG_DATA.Count counts 16 KiB chunks (16384 bytes minus metadata) referenced via a chunk table.

When any component calls CmpGetValueData:

1. The kernel allocates a paged pool buffer sized strictly from DataLength.
2. It copies Count * 0x4000 bytes from hive storage into that buffer.

If you can corrupt the cell so DataLength < 16344 * (Count - 1), the copy overruns the destination linearly into adjacent paged-pool objects. A reliable exploit chain is:

1. Use the deterministic groom to place the vulnerable _CM_KEY_VALUE near controllable metadata.
2. Flip DataLength to a small number (e.g., 0x100) while leaving _CM_BIG_DATA.Count intact.
3. Pool-groom from user mode (pipes, ALPC ports, section objects) so a chosen object (like EPROCESS->Token owner or SRVNET_BUFFER) occupies the next chunk after the allocation from step 1.
4. Trigger a read (e.g., RegQueryValueEx, NtQueryValueKey) so CmpGetValueData copies all chunks and overwrites the neighbor’s fields with attacker-controlled data from the hive.
5. Use the corrupted kernel object to pivot to arbitrary read/write or direct SYSTEM token theft.

Because the overflow length equals (Count * 0x4000) - DataLength, you get a precise byte budget and full control over the bytes written, outperforming many driver-based pool overflows.

Inter-hive linear overflows via tightly packed HBINs

Hives mounted by the Registry process are mapped in 2 MiB-aligned views with no guard gaps. You can force two different hives to grow in lockstep until their _HBIN ranges touch:

1. Choose an attacker-writable hive (app hive or user hive) and a privileged target (e.g., HKLM\SOFTWARE).
2. Continuously create/delete 0x3FD8-byte values in both hives. Each allocation adds a 0x4000-byte bin, so running both writers in parallel interleaves their bins in virtual memory (observed with !process Registry + !vad).
3. Once the final bin of the attacker hive sits immediately before an HBIN belonging to HKLM, use the hive corruption bug to overflow out of the attacker hive, smashing HBIN headers or cells inside HKLM.
4. With HKLM metadata under control you can:

• Stage a big-data inconsistency primitive directly in the privileged hive.
• Corrupt configuration data consumed by SYSTEM services before it ever leaves the kernel.

The absence of guard pages means a linear overwrite from an unprivileged hive can directly corrupt SYSTEM-owned hive structures, enabling data-only attacks or setting up the pool overflow described above inside HKLM/HKU.

Operational tips

• Monitor hive placement with !vad (user-mode) and !reg view / !pool (kernel) to confirm adjacency before triggering the overflow.
• Cache writable HKLM paths discovered during enumeration so corruption primitives can be deployed quickly even after reboots.
• Combine hive grooming with standard pool feng shui (pipe pair freelists, NtAllocateVirtualMemory on Registry process) to stabilize post-overflow primitives.

References

• Project Zero – The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.