A proof-of-concept exploit dubbed LegacyHive has been released, enabling a Windows elevation-of-privilege vulnerability in the Windows User Profile Service that allows a standard user to load another user’s registry hive under their own registry classes root.
Registry hives are files that store configuration data for Windows, services, applications, and user profiles. Improperly loading or exposing these files can permit unauthorized access or privilege escalation.
The GitHub repository describes LegacyHive as a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.”
The LegacyHive PoC released by Nightmare-Eclipse claims to work on all supported Windows desktop and server versions that have the July 2026 security updates installed.
According to security researcher Nightmare-Eclipse, the publicly released PoC has been intentionally restricted to reduce the risk of immediate abuse, requiring credentials for a second standard user and the username of a third account, which may be an administrator.
The repository was created shortly before the release, with the PoC source code and README documentation made approximately 11 hours before it became publicly accessible. The project is licensed under the MIT License.
If executed successfully, the target account’s user hive will be mounted within the current user’s classes registry location. In its unrestricted form, the original technique did not require additional user credentials.
It was not limited to the UsrClass.dat hive, which typically contains file associations, shell settings, COM configurations, and application-class settings.
The researcher indicated that the original exploit could load arbitrary hives, while the public version was simplified before release.
This behavior is security-sensitive because registry hives may contain values that affect how Windows launches software, resolves COM objects, handles file types, and applies user-specific settings.
An attacker who manipulates the loading context of a privileged user’s hive could identify additional escalation paths based on the local system configuration and accessible registry data.
Currently, the disclosure does not specify a CVE number, Microsoft advisory, or an official patch that directly addresses LegacyHive.
Its compatibility with systems patched in July 2026 suggests that organizations should not assume that routine monthly updates resolve the reported issue.
Windows administrators are advised to restrict local access to trusted users, monitor for unusual profile-loading activity, and review endpoint telemetry for unexpected accesses to user profile registry files, including NTUSER.DAT and UsrClass.dat
Security teams should also track Microsoft’s response and validate the PoC only within isolated, authorized test environments.
This publication emphasizes the ongoing risks posed by local Windows privilege-escalation vulnerabilities, particularly those affecting core services that load and manage user profile data.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.

