RIP RegPwn

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.mdsec.co.uk/2026/03/rip-regpwn/
• Blog Title: RIP RegPwn
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (new page: "Secure Desktop Accessibility Registry Propagation LPE (RegPwn/CVE-2026-24291)"), cross-referencing existing "Uiaccess Admin Protection Bypass" and a small subsection on "Registry symbolic links" + "Oplock-assisted race" primitives

🎯 Content Summary

Title / Date: “RIP RegPwn” (March 13, 2026) describes a Windows local Elevation of Privilege (EoP) used by MDSec in red team engagements since January 2025, fixed in the March 2026 Patch Tuesday and believed tracked as CVE-2026-24291.

Affected platforms (as stated): Windows 10, Windows 11, and Windows Server 2012 / 2016 / 2019 / 2022 / 2025.

🔧 Technical Details

Abusing Secure Desktop Accessibility registry propagation: When a secure desktop session is created (e.g., via workstation lock or “Run as administrator”), Windows uses atbroker.exe (user and SYSTEM) and then osk.exe (SYSTEM) to copy Accessibility configuration values from HKCU\...\Accessibility\ATConfig\<feature> through a per-session HKLM location (HKLM\...\Accessibility\Session<id>\ATConfig\<feature>) and into HKU\.DEFAULT\...\Accessibility\ATConfig\<feature>, then back into the session HKLM key. If the per-session HKLM subtree is writable by the user, it becomes a privileged write “choke point” in the copy chain.

Turning a user-writable HKLM key into an arbitrary SYSTEM registry write using registry symbolic links: If a SYSTEM process writes to a registry key that an attacker can replace, the attacker can substitute that key with a registry symbo...

🤖 Agent Actions

Summary:
Added a new Windows LPE page documenting the Secure Desktop accessibility registry propagation (RegPwn) technique, including registry-link primitive, oplock-assisted race, and SYSTEM RCE chain.
Linked the new page from Windows LPE README, UIAccess page, and SUMMARY.

Files changed:

• src/windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md
• src/windows-hardening/windows-local-privilege-escalation/README.md
• src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md
• src/SUMMARY.md

Tests: not run (docs-only changes).

Next steps (optional):

1. If you want, I can add a short detection/defensive notes section (specific logs/telemetry) to the new page.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.mdsec.co.uk/2026/03/rip-regpwn/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (new page: "Secure Desktop Accessibility Registry Propagation LPE (RegPwn/CVE-2026-24291)"), cross-referencing existing "Uiaccess Admin Protection Bypass" and a small subsection on "Registry symbolic links" + "Oplock-assisted race" primitives".

Repository Maintenance:

• MD Files Formatting: 955 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0