Upon login, ProfSvc (user profile service) locates this file and calls NtLoadKeyEx in order to load the Registry Hive. This “Hive” is actually a file that is stored on the filesystem which can be found at “%USERPROFILE%\ntuser.dat”. This hive contains user-related settings for the operating system and various applications that may be installed. These settings are loaded from the “User’s Registry Hive”, which you may know of as HKEY_CURRENT_USER whenever you pull up regedit. One of the many things that occur as you log into a Windows account, is the user-defined settings are loaded for the account. Leveraging this trick has to do with how the user account registry is loaded upon login, so let’s start this off by understanding a bit about what happens when a user logs into a Windows account. This technique has been tested against Windows 7 and Windows 10 Enterprise 圆4 (10.18363 1909) and does not require admin access. Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things).
