GetProcessHandleFromHwnd (GPHFH) Deep Dive

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2026/02/gphfh-deep-dive.html
• Blog Title: GetProcessHandleFromHwnd (GPHFH) Deep Dive
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (or a new subpage under Windows LPE such as "Abusing GUI HWND-to-Process Handle APIs (GetProcessHandleFromHwnd / NtUserGetWindowProcessHandle)")

🎯 Content Summary

This Project Zero post reverse-engineers the Windows accessibility API GetProcessHandleFromHwnd across OS versions, showing how it evolved from a Vista-era user-mode hook/handle-duplication protocol into a Win32k kernel function (NtUserGetWindowProcessHandle) that (in Windows 10 1803+) could open arbitrary process handles using KernelMode access checks bypass. That design flaw enabled opening handles into processes that should be protected (notably Protected Process / PPL), and in some cases san...

🔧 Technical Details

When an OS/API provides a “GUI object -> process handle” conversion (e.g., HWND to process handle), the GUI object becomes a capability. If the implementation opens the target process using a kernel-trusted access mode (e.g., ObOpenObjectByPointer(..., KernelMode)) or otherwise bypasses normal ACL/protection checks, an attacker can request powerful rights (even if the caller couldn’t normally OpenProcess the target). Practical exploitation is: ensure the victim has at least one window on the same desktop, obtain/guess/enumerate its HWND, call the conversion API, and use the resulting rights (commonly PROCESS_VM_READ/PROCESS_VM_WRITE/PROCESS_VM_OPERATION) to compromise the target by reading/writing memory, allocating executable memory, and hijacking control flow.

A legacy pattern for safely returning a handle across processes is: inject a hook DLL into the window owner with SetWindowsHookEx, trigger it with a custom registered message (e.g., RegisterWindowMessage(L"WM_OLEACC_HOOK")), h...

🤖 Agent Actions

Summary:
Updated the UIAccess/Admin Protection page with a new section describing the HWND-to-process handle primitive (GetProcessHandleFromHwnd / NtUserGetWindowProcessHandle), its security impact, practical abuse flow, and post-fix behavior, plus added the Project Zero reference.

Files modified:

• src/windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md

Tests:

• Not run (docs-only change).

Next steps:

1. If you want this also linked from the Windows LPE index, tell me and I’ll add a short cross-reference in src/windows-hardening/windows-local-privilege-escalation/README.md.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2026/02/gphfh-deep-dive.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or a new subpage under Windows LPE such as "Abusing GUI HWND-to-Process Handle APIs (GetProcessHandleFromHwnd / NtUserGetWindowProcessHandle)")".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0