Local Privilege Escalation Through Default ntmulti.exe File Permissions Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Multi-user Cleanup Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to ntmulti.exe (the executable for the Multi-user Cleanup Service) allow unprivileged, interactive users to replace ntmulti.exe with any file. Because the Multi-user Cleanup Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.
