google-project-zero · Crawled Jul 5, 2026

A Deep Dive into the GetProcessHandleFromHwnd API

3 IoCs
Read original article ↗

AI Summary

The article analyzes the evolution of the GetProcessHandleFromHwnd API in Windows, revealing security flaws that allowed privilege escalation and access to protected processes. Early versions used user-mode hooks, but a shift to kernel-mode handling in Windows 10 introduced a vulnerability enabling unrestricted process handle access when UIPI checks were bypassed. This was exploited to compromise protected processes like WerFaultSecure.exe, leading to CVE-2023-41772. Recent Windows 11 updates have mitigated the issue by enforcing stricter access checks and feature flags.

AI-extracted · verify before operational use

Indicators of Compromise 3 extracted

Type Value Detail
Filename oleacchooks.dll Details →
Filename WerFaultSecure.exe Details →
Registry User HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System Details →