Google’s Project Zero security research team has published the seventh installment of its in-depth series on the Windows Registry, focusing this time on a comprehensive attack surface analysis. The report documents the mechanisms through which various processes, including sandboxed applications, interact with the central registry hive, identifying specific areas for security hardening.

The research provides a detailed breakdown of the Remote Procedure Call (RPC) interfaces exposed by the Windows Registry service. The team documented how these interfaces handle requests from processes with different integrity levels, revealing previously unexamined interaction pathways.

Key Findings from the Analysis

A primary focus of the report was the interaction between low-integrity application sandboxes and the registry. Researchers found that certain sandboxed processes were able to query specific registry keys related to system configuration by leveraging legitimate, documented API calls in unexpected ways. The analysis centered on the RegLoadAppKey function, which is designed to load application-specific hives, and its underlying RPC communications. The Project Zero team developed custom fuzzing tools to probe these RPC endpoints, mapping out the parsers and logic flows accessible to external callers.

Implications for System Security

The investigation culminated in a proof-of-concept that demonstrated a sandboxed process successfully reading configuration data from a protected area of the registry. This was achieved without a memory corruption vulnerability, instead relying on the logical implementation of the registry’s RPC service. While the report does not classify this as a directly exploitable remote code execution vulnerability, it highlights a significant information disclosure risk and a weakness in the security boundary enforced by the sandbox. The findings were reported to Microsoft for review and potential future hardening of the registry’s access controls.

Source: https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html