CVE-2016-0099 in Windows
Summary
by MITRE
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2026
The Secondary Logon Service vulnerability represents a critical privilege escalation flaw within Microsoft Windows operating systems that affects multiple versions including Vista SP2 through Windows 10 1511. This vulnerability resides in the Windows service that enables applications to run processes under different user contexts, specifically designed to support scenarios where elevated privileges are required temporarily. The service operates through the SecLogon.dll component and is utilized by various Windows applications and system processes that need to execute code with different security contexts. The flaw manifests when the service fails to properly validate and process handle requests, creating a path for malicious local users to exploit the system's security model and elevate their privileges from standard user level to administrator level.
The technical exploitation of this vulnerability occurs through improper handle validation within the Secondary Logon Service implementation. When applications make requests to create secondary logon sessions, the service processes these requests without adequate validation of the handle parameters, allowing attackers to manipulate the handle values and gain unauthorized access to elevated privileges. This weakness enables attackers to bypass normal Windows security controls that typically prevent local users from executing code with administrative rights. The vulnerability specifically relates to how the service handles process creation and handle inheritance, where malicious code can manipulate the handle values passed to the service, potentially allowing the execution of arbitrary code with elevated privileges. The flaw exists in the service's security descriptor handling and process token management, creating a window where unprivileged processes can obtain elevated access tokens through crafted handle manipulation.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with a persistent means of gaining administrative control over affected systems. Local users who might not normally have administrative privileges can exploit this vulnerability to execute code with full system rights, potentially leading to complete system compromise. The vulnerability affects both interactive and non-interactive execution scenarios, meaning attackers can exploit it through various attack vectors including malicious applications, script files, or even through compromised legitimate software that utilizes secondary logon functionality. Systems running the affected Windows versions are particularly vulnerable since the service is enabled by default and actively used by various system components, making exploitation relatively straightforward for attackers who have local access to the target systems.
Mitigation strategies for this vulnerability include immediate application of Microsoft security updates that address the specific handle validation issues within the Secondary Logon Service. Organizations should prioritize patching all affected systems, particularly those running Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511. System administrators should also implement additional security measures including disabling unnecessary secondary logon usage, monitoring for suspicious handle operations, and applying principle of least privilege configurations. The vulnerability aligns with CWE-264, which describes permissions, privileges, and access control issues, and maps to ATT&CK technique T1068, which covers local privilege escalation through service privilege abuse. Network segmentation and user access controls can help reduce the attack surface, while regular security audits should monitor for unauthorized use of secondary logon functionality. The vulnerability demonstrates the critical importance of proper handle validation in system services and highlights the potential for local privilege escalation vulnerabilities to provide attackers with complete system compromise when exploited successfully.