CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GhostLock file-access disruption technique abuses Windows CreateFileW API for denial-of-service via exclusive share mode

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A proof-of-concept tool named GhostLock demonstrates abuse of the Windows CreateFileW API’s dwShareMode parameter to lock files exclusively and block read/write access for other users or processes. The technique targets local and SMB network shares by opening files with dwShareMode=0, triggering STATUS_SHARING_VIOLATION errors. GhostLock can be executed by standard domain users without elevated privileges and may be amplified via multi-host execution, disrupting operations without data destruction. Detection is challenging as the attack generates legitimate file-open events rather than writes or encryption.

Timeline

  1. 12.05.2026 01:02 1 articles · 2h ago

    Proof-of-concept GhostLock tool released, demonstrating Windows API abuse for file-access denial-of-service

    A proof-of-concept tool named GhostLock was released, demonstrating how the Windows CreateFileW API can be abused by setting dwShareMode to 0 to open files exclusively. This causes STATUS_SHARING_VIOLATION errors and blocks access to files on local and SMB network shares. The technique can be executed by standard domain users without elevated privileges and may be amplified across multiple compromised hosts, creating operational disruption without data destruction. Detection is challenging as the attack relies on legitimate file-open operations rather than writes or encryption, requiring monitoring of per-session open-file counts with ShareAccess=0 at the file server layer for reliable identification.

    Show sources
    Open in new tab

Information Snippets

  • GhostLock abuses the CreateFileW API’s dwShareMode parameter set to 0 to open files in exclusive mode, preventing other processes from accessing them.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources

  • The technique affects both local files and SMB network shares, generating STATUS_SHARING_VIOLATION errors when additional access attempts are made.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources

  • GhostLock automates the attack by recursively opening large numbers of files on SMB shares without requiring elevated privileges.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources

  • Impact is primarily operational disruption; file access is restored automatically on SMB session termination, process kill, or system reboot.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources

  • The tool’s abuse of legitimate file-open requests reduces detection likelihood, as many security products prioritize monitoring file writes or encryption operations.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources

  • Detection of the attack relies on monitoring per-session open-file counts with ShareAccess=0 at the file server layer, a metric not available in Windows event logs, EDR telemetry, or network flow data.

    First reported: 12.05.2026 01:02
    1 source, 1 article
    Show sources