SYSTEM writes the file, correctly, with the right ACL, to the exact path the installer asked for. A standard user already pointed that path at System32 before the installer started.
Junction Preemption
A privileged process writes to a directory it never pre-created with restrictive permissions. A standard user occupies the path first as an NTFS junction. The privileged write follows the attacker's redirection.
Mechanism
Privileged process writes into a directory it didn't pre-create with restrictive ACLs. C:\ProgramData\Vendor\stage is writable by any user. Attacker creates Vendor\ first and makes it a junction to C:\Windows\System32. The installer resolves the path, NTFS walks through the junction, the privileged write lands in System32 with whatever ACL the installer set. The privilege check passed. At an address the attacker chose.
The variants change the bait, not the shape. Printer drivers stage spool files in user-writable temp paths. Antivirus uninstallers drop quarantine logs under Temp because the install lived there. Update services unpack downloads in ProgramData because that's the convention. Each is one missing SECURITY_ATTRIBUTES away from the same redirection.
Code that does call CreateDirectory before writing doesn't escape the pattern unless it passes a restrictive SECURITY_ATTRIBUTES on creation. The default inherits from the parent, and ProgramData's parent allows everyone-create-subdirectory. So the privileged code creates the dir, the dir inherits the loose ACL, the attacker still wins on the next install or update cycle.
Defenses that check after the fact (GetFileSecurity after open, attribute inspection on the resulting file) are decoration. The handle is already on the redirected target. The write has happened. The ACL on the resulting file reflects the attacker's choice, not the installer's intent.
Exhibits
Boundaries
Not TOCTOU. The junction is in place before the privileged work starts. There is no race window for the defender to shrink, no timing-sensitive code to audit. The attacker wins deterministically by existing there first.
Not generic symlink-following. Junctions resolve at the NTFS driver below most process-level reparse guards. Code that assumes O_NOFOLLOW-style protections carry over from POSIX intuition will miss this; Windows requires explicitly setting FILE_FLAG_OPEN_REPARSE_POINT and inspecting the reparse attribute.
Defender playbook
Pre-create every privileged-writable directory at install time with an ACL that denies non-admin write. Resolve paths only after your code owns the directory. First-write assumptions are the bug; take ownership explicitly.
Open paths with FILE_FLAG_OPEN_REPARSE_POINT and reject reparse targets before writing. Check FILE_ATTRIBUTE_REPARSE_POINT on every directory in the resolution chain, not just the leaf. A junction anywhere along the way is a redirect you didn't authorize.
During code review, treat every CreateFile/CreateDirectory against a path under user-writable space as a load-bearing security choice. Require a pre-validated handle on the parent directory and explicit SECURITY_ATTRIBUTES on creation. Static analyzers can flag the pattern; exceptions need justification, not boilerplate.
Kinship
TOCTOU That Isn't. Junction-preemption is the canonical example of a TOCTOU That Isn't. The "race" framing in advisories misdirects the fix toward atomicity primitives, but the attacker placed the junction long before the privileged process started. The fix is directory ownership, not a tighter window.
Symlinks don't suck. Writing to a directory you don't own does.