Analysis of GetProcessHandleFromHwnd API Exploitation and Security Enhancements in Windows

The GetProcessHandleFromHwnd API in Windows was analyzed after being exploited in a publicly disclosed UAC bypass via Quick Assist, initially documented as requiring UIAccess privileges but later found to allow cross-user process access. The API evolved from a user-mode hook-based implementation in Windows Vista to a kernel-mode function (NtUserGetWindowProcessHandle) in Windows 10 1803, which bypassed access checks for protected and sandboxed processes by opening handles in KernelMode. A security flaw (CVE-2023-41772), reported by researcher Sascha Mayer, enabled privilege escalation by exploiting the UI Access flag to open arbitrary processes, later patched in Windows 11 23H2 by enforcing UserMode access checks. Windows 11 24H2 introduced further hardening, including mandatory UIPI enforcement and a new ResponsiblePid feature flag restricting the API to UI Access-enabled processes. The analysis demonstrated exploitation techniques targeting WerFaultSecure.exe (a TCB-level protected process) to hijack handles with limited but sufficient access for code injection. The API’s documentation was also found to contain inaccuracies regarding integrity level and cross-user restrictions.