> [W]ith registry hives, the initial refcount values are loaded from disk, from a file that we assume is controlled by the attacker.
As far as I remember, new hives are only mountable with administrator privileges (perhaps even only with Local System ones?..); and it’s long been Microsoft’s position that the administrator/kernel boundary is not a security one—and thus, for example, a driver signing bypass is not a security vulnerability[1]. That would imply that hive files are trusted as well, wouldn’t it? (At least as far as security is concerned, it would of course still be wise to check them because of possible disk corruption.)
I have mixed feelings regarding Microsoft’s policy and I am not trying to defend it here, to be clear, I’d just like to know if it has changed in recent years.
Windows allows loading process-private registry hives without elevation using the RegLoadAppKey() function. This is used by Visual Studio.
https://visualstudioextensions.vlasovstudio.com/2017/06/29/c...
Yeah, several paragraphs down TFA mentions that unprivileged (and docunented) hive loading was introduced in Vista. Which checks out as far as my knowledge cutoff regarding Windows :)