CVE-2016-0099

What Is Windows Secondary Logon Service?

The Windows Secondary Logon Service (seclogon) implements the "Run as different user" functionality — the Windows feature that allows a process to run under different credentials than the current user without requiring full logoff. Applications like runas.exe use the Secondary Logon Service to create processes with alternate user tokens. The service runs as SYSTEM and accepts requests from any local user, making its handle management code an attack surface for privilege escalation.

Overview

CVE-2016-0099 is a privilege escalation vulnerability in the Windows Secondary Logon Service that allows a standard user to execute arbitrary code as an administrator (SYSTEM). The vulnerability exists because the Secondary Logon Service fails to properly manage request handles in memory — a handle management error that allows a local attacker to leak a SYSTEM-level handle and use it to execute code with elevated privileges. Patched in MS16-032 (March 8, 2016). Public exploit code was published days after the patch, and the vulnerability was widely adopted by ransomware operators as a reliable LPE component.

Affected Versions

Fixed in MS16-032 (March 2016). Note: 64-bit Windows 10 and Windows Server 2016 were not affected.

Technical Details

Root Cause: Secondary Logon Service Handle Management

CVE-2016-0099 exploits improper handle management in the Windows Secondary Logon Service. The service runs as SYSTEM and processes requests from user-space applications to create processes under alternate credentials. The vulnerability involves a race condition or handle inheritance error in how the service manages process handles during the logon request processing:

1. Request initiation — the attacker's process makes a Secondary Logon Service request
2. Handle leak — due to improper handle management, the service leaks a handle to an object with SYSTEM-level access to the requesting process
3. Privilege inheritance — the attacker uses the leaked handle to create or inject into a process with SYSTEM privileges
4. SYSTEM access — arbitrary code execution at SYSTEM privilege level

The CVSS PR:L (privileges required: low) reflects that any standard user (a local account, domain user, or even service account) can trigger the vulnerability — no administrator access is needed to initiate the exploit.

Ransomware Exploitation Pattern

Ransomware operators adopted CVE-2016-0099 as a reliable LPE component in 2016:

1. Initial access — phishing email or exploit kit delivers ransomware dropper running as a standard user
2. LPE via CVE-2016-0099 — escalate to SYSTEM
3. Maximum impact — with SYSTEM, access all files (including system-protected ones), stop backup and security services, delete Volume Shadow Copies, and encrypt all drives

Attack Characteristics

Discovery

Reported to Microsoft and patched in MS16-032 (March 2016 Patch Tuesday). Public exploit code was published approximately March 21, 2016.

Exploitation Context

• Ransomware standard component: CVE-2016-0099 became a standard component in ransomware toolkits in 2016; reliable, public exploit code and broad Windows version coverage (Vista through Windows 10 32-bit) made it a preferred LPE for automated ransomware campaigns
• No user interaction required: The UI:N (no user interaction) CVSS component makes CVE-2016-0099 particularly valuable for automated post-exploitation — once a dropper runs in user context, the LPE can be triggered programmatically without any user clicking or interaction
• Long exploitation tail: CISA's March 2022 KEV addition — six years after the patch — reflects continued exploitation against unpatched systems; organizations running Windows 7 or Server 2008 past their January 2020 EOL date remained permanently exposed
• CISA KEV (2022): Added March 2022

Remediation

1. Apply MS16-032 (March 2016). Any Windows system current with Windows Update after March 2016 includes this fix.

2. Upgrade end-of-life Windows — Windows 7 and Server 2008 are past end-of-life and cannot receive security updates. Upgrade to Windows 10/11 or Server 2019/2022.

3. Disable Secondary Logon Service if unused — if the "Run as different user" feature is not needed, the Secondary Logon Service (seclogon) can be disabled via services.msc or Group Policy.

4. Endpoint protection for ransomware indicators — deploy behavioral detection for ransomware patterns: Volume Shadow Copy deletion (vssadmin delete shadows), mass file encryption, and privilege escalation sequences from user-context processes.

5. Least privilege — ensure processes that handle untrusted input (browsers, email clients, office applications) run as limited users rather than as local administrators or privileged service accounts.