Will Dormann, a senior principal vulnerability analyst at Tharros Labs, discussed a vulnerability that allows attackers to gain administrator privileges by configuring a system to execute their code upon an admin user's login. This vulnerability enables non-admin users to modify the classes registry hive of an admin user, posing a significant risk. It could be exploited without user interaction and may be combined with another vulnerability that provides direct access to an administrative account. Microsoft is aware of the issue and is investigating it, encouraging coordinated disclosure from vulnerability reporters. Independent researcher Kevin Beaumont has created a detection script to help protect against this vulnerability, along with recommendations to restrict local non-user accounts, monitor the ProfSvc for unexpected hive loads, and track activity related to NTUSER.DAT and UsrClass.dat files.