klydz security research & technical writing

DCOM Permission Misconfiguration in WaaSMedicSvc Enables Unprivileged PPL Process Access

The Windows Update Medic Service (WaaSMedicSvc) is configured with overly permissive DCOM LaunchPermission rights, granting standard users the ability to instantiate COM objects within a Protected Process Light (PPL) service running as LocalSystem. The service, which operates with LaunchProtected=2 (PPL), exposes the WaaSRemediation COM object with LaunchPermission SDDL that includes Everyone (WD) and Interactive User (IU) with execute rights. This configuration allows unprivileged users to communicate across the PPL security boundary and execute methods in SYSTEM context. While prior research demonstrated exploitation of this attack surface via TypeLib hijacking, this finding identifies a distinct unprivileged access vector. Remediation involves restricting DCOM LaunchPermission to SYSTEM and Administrators only.

writingarchive →

Windows Internals ·windows

How Windows Delivery Optimization's Trust Chain Can Be Broken Before It Starts

Windows Delivery Optimization's security model, chunk hashes, peer banning, retry logic, all of it flows from a single in-memory structure called the Pieces Hash File. Control that file, and every downstream verification check works in your favor. This research traces how to get there: from the DLL, through the unpinned SSL channel, to the third-party CDN infrastructure serving that file to every Windows 11 machine on the planet.

Mar 10, 2026 25 min 373 views