In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass us...

Project Zero is Google's security research team dedicated to finding and fixing zero-day vulnerabilities in software and hardware, aiming to improve the security of the broader internet ecosystem. Security researchers can learn about vulnerability research, exploit development, and responsible disclosure practices to contribute to making the internet safer for everyone.

Project Zero

A deep technical analysis of the GetProcessHandleFromHwnd Windows API, tracing its evolution from Vista through Windows 11 24H2. The API began as a user-mode hook-based implementation in oleacc.dll, moved to a Win32k kernel function (NtUserGetWindowProcessHandle) in Windows 10 1803, and has undergone several security fixes. The kernel version introduced a critical vulnerability (CVE-2023-41772) by opening process handles with KernelMode access, bypassing all access checks. Subsequent versions partially fixed this but still allowed opening protected processes. Windows 11 24H2 introduced UIPI enforcement improvements and a new ResponsiblePid feature flag path that requires UI Access for all callers. The post also demonstrates how to exploit pre-24H2 systems to hijack a TCB-level protected process (WerFaultSecure.exe) by finding its window handle and calling the API to gain VM read/write access.

A Deep Dive into the GetProcessHandleFromHwnd API