A proof-of-concept tool for managing Protected Process Light (PPL) protection levels on Windows Server 2022 by exploiting vulnerabilities in the ThrottleStop driver (CVE-2025-7771).
This tool demonstrates privilege escalation through arbitrary physical memory read/write capabilities exposed by the ThrottleStop driver. It allows modification of process protection levels by directly manipulating kernel memory structures.
- Arbitrary physical memory read/write
- Virtual to physical address translation via Superfetch
- EPROCESS structure manipulation
- PPL protection level modification for any process
PPLmanager.exe -p <pid> -v <protection_level>
-p <pid>- Process ID to modify-v <protection_level>- Protection level value in hexadecimal-h- Display help message
| Value | Protection Level | Description |
|---|---|---|
| 0x72 | PS_PROTECTED_SYSTEM | System protected process |
| 0x62 | PS_PROTECTED_LSA | LSA protected process |
| 0x52 | PS_PROTECTED_WINDOWS | Windows protected process |
| 0x61 | PS_PROTECTED_WINTCB_LIGHT | Windows TCB light protected process |
| 0x51 | PS_PROTECTED_WINDOWS_LIGHT | Windows light protected process |
| 0x41 | PS_PROTECTED_LSA_LIGHT | LSA light protected process |
| 0x31 | PS_PROTECTED_ANTIMALWARE_LIGHT | Antimalware light protected process |
| 0x12 | PS_PROTECTED_AUTHENTICODE | Authenticode protected process |
| 0x11 | PS_PROTECTED_AUTHENTICODE_LIGHT | Authenticode light protected process |
| 0x00 | NO_PROTECTION | No protection |
- Windows Server 2022 (tested build)
- Administrator privileges
- ThrottleStop driver loaded
Build using Visual Studio with the provided solution file:
ThrottleStopPPL.sln
The vulnerable ThrottleStop driver can be extracted from ThrottleStop.exe using Resource Hacker.
Create and start the driver service:
sc create ThrottleStop binPath="<Path to driver>" type=kernel
sc start ThrottleStop0x80006498- Arbitrary memory read0x8000649C- Arbitrary memory write0x80006430- Arbitrary port read0x80006434- Arbitrary port write
This is a proof-of-concept for educational and research purposes only. Use responsibly and only on systems you own or have explicit permission to test.
This project is inspired by the original ThrottleStopPoC by @fxrstor.
For educational and research purposes only.