It’s possible to bypass the ProcessFontDisablePolicy check in win32k to load a custom font from an arbitrary file on disk even in a sandbox. This might be used as part of a chain to elevate privileges. If anything this is really a useful demonstration that you probably really want to shutdown the object manager directory shadowing as part of the sandbox mitigations, even if you don’t fix the explicit bypass. The issue is due to a race condition in the check which looks similar to the following: int WIN32K::bLoadFont(...) { int load_option = GetCurrentProcessFontLoadingOption(); bool system_font = true; if (load_option) { HANDLE hFile = hGetHandleFromFilePath(FontPath); <- First open of path BOOL system_font = bIsFileInSystemFontsDir(hFile); <- Should return True ZwClose(hFile); if (!system_font) { LogFontLoadAttempt(FontPath); if (load_option == 2) return 0; } } // Switch out path here HANDLE hFont = hGetHandleFromFilePath(FontPath); <- Will open our custom font // Map font as section}