This is PoC for local privilege escalation vulnerability in \Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration scheduled task.
When this scheduled task is started the taskhostw.exe process whill try to open the C:\Users\%username%\AppData\Local\CoreAIPlatform.00\UKP directory and search for directories using the following filter: {????????-????-????-????-????????????}. If that directory is found it will be deleted without checking for symbolic links.
As low privilege user by default can create directories in their own %LOCALAPPDATA% folder this leads to arbitrary folder delete in context of NT AUTHORITY\SYSTEM user.
The scheduled task is configured with multiple triggers that can be used to start the scheduled task.
<Triggers>
<WnfStateChangeTrigger id="RecallPolicyCheckUpdateTrigger">
<Enabled>true</Enabled>
<StateName>7508BCA32C079E41</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="AADStatusChangeTrigger">
<Enabled>true</Enabled>
<StateName>7508BCA32C0F8241</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="DisableAIDataAnalysisTrigger">
<Enabled>true</Enabled>
<StateName>7528BCA32C079E41</StateName>
</WnfStateChangeTrigger>
<WnfStateChangeTrigger id="UserLoginTrigger">
<Enabled>true</Enabled>
<StateName>7510BCA338038113</StateName>
</WnfStateChangeTrigger>
<SessionStateChangeTrigger id="SessionUnlockTrigger">
<Enabled>true</Enabled>
<StateChange>SessionUnlock</StateChange>
</SessionStateChangeTrigger>
</Triggers>
This PoC utilise the WnfStateChangeTrigger RecallPolicyCheckUpdateTrigger to start the scheduled task.