I'm scarcely able to believe this one: http://breakingmalware.com/vulnerab...sing-windows-10-protections-using-single-bit/ Window scrollbars are implemented as kernel objects. They're drawn using special system calls. Yes, really. And there was a use-after-free vulnerability in the implementation. *bangs head on desk* Edit: correct title should be "... using window scrollbars."