Posted by Mateusz Jurczyk, Google Project Zero

In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer based on the Bochs x86 emulator (one of my favorite tools for security research: see Bochspwn, Bochspwn Reloaded, and my earlier font fuzzing infrastructure), and needed some binary formats to test it on. My first pick were PE files: they are very popular in the Windows environment, which makes it easy to create an initial corpus of input samples, and a basic fuzzing harness is equally easy to develop with just a single GetFileVersionInfoSizeW API call. The test was successful: even though I had previously fuzzed PE files in 2019, the new element of code coverage guidance allowed me to discover a completely new bug: issue #2281.

For my next target, I chose the Windows registry. That's because arbitrary registry hives can be loaded from disk without any special privileges via the RegLoadAppKey API (since Windows Vista). The hives use a binary format and are fully parsed in the kernel, making them a noteworthy local attack surface. Furthermore, I was also somewhat familiar with basic harnessing of the registry, having fuzzed it in 2016 together with James Forshaw. Once again, the code coverage support proved useful, leading to the discovery of issue #2299. But when I started to perform a root cause analysis of the bug, I realized that:

• The hive binary format is not very well suited for trivial bitflipping-style fuzzing, because it is structurally simple, and random mutations are much more likely to render (parts of) the hive unusable than to trigger any interesting memory safety violations.
• On the other hand, the registry has many properties that make it an attractive attack surface for further research, especially for manual review. It is 30+ years old, written in C, running in kernel space but highly accessible from user-mode, and it implements much more complex logic than I had previously imagined.

And that's how the story starts. Instead of further refining the fuzzer, I made a detour to reverse engineer the registry implementation in the Windows kernel (internally known as the Configuration Manager) and learn more about its inner workings. The more I learned, the more hooked I became, and before long, I was all-in on a journey to audit as much of the registry code as possible. This series of blog posts is meant to document what I've learned about the registry, including its basic functionality, advanced features, security properties, typical bug classes, case studies of specific vulnerabilities, and exploitation techniques.

While this blog is one of the first places to announce this effort, I did already give a talk titled "Exploring the Windows Registry as a powerful LPE attack surface" at Microsoft BlueHat Redmond in October 2023 (see slides and video recording). The upcoming blog posts will go into much deeper detail than the presentation, but if you're particularly curious and can't wait to find out more, feel free to check these resources as a starter. 🙂

Research results

In the course of the research, I filed 39 bug reports in the Project Zero bug tracker, which have been fixed by Microsoft as 44 CVEs. There are a few reasons for the discrepancy between these numbers:

• Some single reports included information about multiple problems, e.g. issue #2375 was addressed by four CVEs,
• Some groups of reports were fixed with a single patch, e.g. issues #2392 and #2408 as CVE-2023-23420,
• One bug report was closed as WontFix and not addressed in a security bulletin at all (issue #2508).

All of the reports were submitted under the Project Zero 90-day disclosure deadline policy, and Microsoft successfully met the deadline in all cases. The average time from report to fix was 81 days.

Furthermore, between November 2023 and January 2024, I reported 20 issues that had low or unclear security impact, but I believed the vendor should nevertheless be made aware of them. They were sent without a disclosure deadline and weren't put on the PZ tracker; I have since published them on our team's GitHub. Upon assessment, Microsoft decided to fix 6 of them in a security bulletin in March 2024, while the other 14 were closed as WontFix with the option of being addressed in a future version of Windows.

This sums up to a total of 50 CVEs, classified by Microsoft as:

• 39 × Windows Kernel Elevation of Privilege Vulnerability
• 9 × Windows Kernel Information Disclosure Vulnerability
• 1 × Windows Kernel Memory Information Disclosure Vulnerability
• 1 × Windows Kernel Denial of Service Vulnerability

A full summary of the security-serviced bugs is shown below:

GPZ #	CVE	Title	Reported	Fixed
2295	CVE-2022-34707	Windows Kernel use-after-free due to refcount overflow in registry hive security descriptors	2022-May-11	2022-Aug-09
2297	CVE-2022-34708	Windows Kernel invalid read/write due to unchecked Blink cell index in root security descriptor	2022-May-17
2299	CVE-2022-35768	Windows Kernel multiple memory problems when handling incorrectly formatted security descriptors in registry hives	2022-May-20
2318	CVE-2022-37956	Windows Kernel integer overflows in registry subkey lists leading to memory corruption	2022-Jun-22	2022-Sep-13
2330	CVE-2022-37988	Windows Kernel registry use-after-free due to bad handling of failed reallocations under memory pressure	2022-Jul-8	2022-Oct-11
2332	CVE-2022-38037	Windows Kernel memory corruption due to type confusion of subkey index leaves in registry hives	2022-Jul-11
2341	CVE-2022-37990	Windows Kernel multiple memory corruption issues when operating on very long registry paths	2022-Aug-3
	CVE-2022-38039
	CVE-2022-38038
2344	CVE-2022-37991	Windows Kernel out-of-bounds reads and other issues when operating on long registry key and value names	2022-Aug-5
2359	CVE-2022-44683	Windows Kernel use-after-free due to bad handling of predefined keys in NtNotifyChangeMultipleKeys	2022-Sep-22	2022-Dec-13
2366	CVE-2023-21675	Windows Kernel memory corruption due to insufficient handling of predefined keys in registry virtualization	2022-Oct-6	2023-Jan-10
2369	CVE-2023-21747	Windows Kernel use-after-free due to dangling registry link node under paged pool memory pressure	2022-Oct-13
2389	CVE-2023-21748	Windows Kernel registry virtualization incompatible with transactions, leading to inconsistent hive state and memory corruption	2022-Nov-30
2375		Windows Kernel multiple issues in the key replication feature of registry virtualization	2022-Oct-25
	CVE-2023-21772
	CVE-2023-21773
	CVE-2023-21774
2378	CVE-2023-21749	Windows Kernel registry SID table poisoning leading to bad locking and other issues	2022-Oct-31
	CVE-2023-21776
2379	CVE-2023-21750	Windows Kernel allows deletion of keys in virtualizable hives with KEY_READ and KEY_SET_VALUE access rights	2022-Nov-2
2392	CVE-2023-23420	Windows Kernel multiple issues with subkeys of transactionally renamed registry keys	2022-Dec-7	2023-Mar-14
2408		Windows Kernel insufficient validation of new registry key names in transacted NtRenameKey	2023-Jan-13
2394	CVE-2023-23421	Windows Kernel multiple issues in the prepare/commit phase of a transactional registry key rename	2022-Dec-14
	CVE-2023-23422
	CVE-2023-23423
2410	CVE-2023-28248	Windows Kernel CmpCleanupLightWeightPrepare registry security descriptor refcount leak leading to UAF	2023-Jan-19	2023-Apr-11
2418	CVE-2023-28271	Windows Kernel disclosure of kernel pointers and uninitialized memory through registry KTM transaction log files	2023-Jan-31
2419	CVE-2023-28272	Windows Kernel out-of-bounds reads when operating on invalid registry paths in CmpDoReDoCreateKey/CmpDoReOpenTransKey	2023-Feb-2
	CVE-2023-28293
2433	CVE-2023-32019	Windows Kernel KTM registry transactions may have non-atomic outcomes	2023-Mar-7	2023-Jun-13
2445	CVE-2023-35356	Windows Kernel arbitrary read by accessing predefined keys through differencing hives	2023-Apr-19	2023-Jul-11
2452		Windows Kernel CmDeleteLayeredKey may delete predefined tombstone keys, leading to security descriptor UAF	2023-May-10
2446	CVE-2023-35357	Windows Kernel may reference unbacked layered keys through registry virtualization	2023-Apr-20
2447	CVE-2023-35358	Windows Kernel may reference rolled-back transacted keys through differencing hives	2023-Apr-27
2449	CVE-2023-35382	Windows Kernel renaming layered keys doesn't reference count security descriptors, leading to UAF	2023-May-2	2023-Aug-8
2454	CVE-2023-35386	Windows Kernel out-of-bounds reads due to an integer overflow in registry .LOG file parsing	2023-May-15
2456	CVE-2023-38154	Windows Kernel partial success of registry hive log recovery may lead to inconsistent state and memory corruption	2023-May-22
2457	CVE-2023-38139	Windows Kernel doesn't reset security cache during self-healing, leading to refcount overflow and UAF	2023-May-31	2023-Sep-12
2462	CVE-2023-38141	Windows Kernel passes user-mode pointers to registry callbacks, leading to race conditions and memory corruption	2023-Jun-26
2463	CVE-2023-38140	Windows Kernel paged pool memory disclosure in VrpPostEnumerateKey	2023-Jun-27
2464	CVE-2023-36803	Windows Kernel out-of-bounds reads and paged pool memory disclosure in VrpUpdateKeyInformation	2023-Jun-27
2466	CVE-2023-36576	Windows Kernel containerized registry escape through integer overflows in VrpBuildKeyPath and other weaknesses	2023-Jul-7	2023-Oct-10
2479	CVE-2023-36404	Windows Kernel time-of-check/time-of-use issue in verifying layered key security may lead to information disclosure from privileged registry keys	2023-Aug-10	2023-Nov-14
2480	CVE-2023-36403	Windows Kernel bad locking in registry virtualization leads to race conditions	2023-Aug-22
2492	CVE-2023-35633	Windows registry predefined keys may lead to confused deputy problems and local privilege escalation	2023-Oct-6	2023-Dec-12
2511	CVE-2024-26182	Windows Kernel subkey list use-after-free due to mishandling of partial success in CmpAddSubKeyEx	2023-Dec-13	2024-Mar-12
None (MSRC-84131)	CVE-2024-26174	Windows Kernel out-of-bounds read of key node security in CmpValidateHiveSecurityDescriptors when loading corrupted hives	2023-Nov-29
None (MSRC-84149)	CVE-2024-26176	Windows Kernel out-of-bounds read when validating symbolic links in CmpCheckValueList	2023-Nov-29
None (MSRC-84046)	CVE-2024-26173	Windows Kernel allows the creation of stable subkeys under volatile keys via registry transactions	2023-Nov-30
None (MSRC-84228)	CVE-2024-26177	Windows Kernel unsafe behavior in CmpUndoDeleteKeyForTrans when transactionally re-creating registry keys	2023-Dec-1
None (MSRC-84237)	CVE-2024-26178	Windows Kernel security descriptor linked list confusion in CmpLightWeightPrepareSetSecDescUoW	2023-Dec-1
None (MSRC-84263)	CVE-2024-26181	Windows Kernel registry quota exhaustion may lead to permanent corruption of the SAM database	2023-Dec-11

Exploitability

Software bugs are typically only interesting to either the offensive/defensive sides of the security community if they have practical security implications. Unfortunately, it is impossible to give a blanket statement regarding the exploitability of all registry-related vulnerabilities due to their sheer diversity on a number of levels:

• Affected platforms: Windows 10, Windows 11, various Windows Server versions (32/64-bit)
• Attack targets: the kernel itself, drivers implementing registry callbacks, privileged user-mode applications/services
• Entry points: direct registry operations, hive loading, transaction log recovery
• End results: memory corruption, broken security guarantees, broken API contracts, memory/pointer disclosure, out-of-bounds reads, invalid/controlled cell index accesses
• Root cause of issues: C-specific, logic errors, bad reference counting, locking problems
• Nature of memory corruption: temporal (use-after-free), spatial (buffer overflows)
• Types of corrupted memory: kernel pools, hive data
• Exploitation time: instant, up to several hours

As we can see, there are multiple factors at play that determine how the bugs came to be and what state they leave the system in after being triggered. However, to get a better understanding of the impact of the findings, I have performed a cursory analysis of the exploitability of each bug, trying to classify it as either "easy", "moderate" or "hard" to exploit according to my current knowledge and experience (this is of course highly subjective). The proportions of these exploitability ratings are shown in the chart below:

The ratings were largely based on the following considerations:

• Hive-based memory corruption is generally considered easy to exploit, while pool-based memory corruption is considered moderate/hard depending on the specifics of the bug.
• Triggering OOM-type conditions in the hive space is easy, but completely exhausting the kernel pools is more difficult and intrusive.
• Logic bugs are typically easier and more reliable to exploit than memory corruption.
• The kernel itself is typically easier to attack than other user-mode processes (system services etc.).
• Direct information disclosure (leaking kernel pointers / uninitialized memory via various channels) is usually straightforward to exploit.
• However, random out-of-bounds reads, as well as read access to invalid/controlled cell indexes is generally hard to do anything useful with.

Overall, it seems that more than half of the findings can be feasibly exploited for information disclosure or local privilege escalation (rated easy or moderate). What is more, many of them exhibit registry-specific bug classes which can enable particularly unique exploitation primitives. For example, hive-based memory corruption can be effectively transformed into both a KASLR bypass and a fully reliable arbitrary read/write capability, making it possible to use a single bug to compromise the kernel with a data-only attack. To demonstrate this, I have successfully developed exploits for CVE-2022-34707 and CVE-2023-23420. The outcome of running one of them to elevate privileges to SYSTEM on Windows 11 is shown on the screenshot below:

Upcoming posts in this series will introduce you to the Windows registry as a system mechanism and as an attack surface, and will dive deeper into practical exploitation using hive memory corruption, out-of-bounds cell indexes and other amusing techniques. Stay tuned!

by Nicole Carr, ProPublica, and Mike Jordan, The Atlanta Journal-Constitution

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up for Dispatches, a newsletter that spotlights wrongdoing around the country, to receive our stories in your inbox every week.

When Ryan Millsap arrived in Atlanta from California a decade ago, the real estate investor set his sights on becoming a major player in Georgia’s booming film industry. In just a few years, he achieved that, opening a movie studio that attracted big-budget productions like “Venom,” Marvel’s alien villain, and “Lovecraft Country,” HBO’s fictional drama centered on the racial terror of Jim Crow America.

As he rose to prominence, Millsap cultivated important relationships with Black leaders and Jewish colleagues and won accolades for his commitment to diversity. But allegations brought by his former attorney present a starkly different picture. In private conversations, court documents allege, Millsap expressed racist and antisemitic views.

Various filings in an ongoing legal fight show Millsap, who is white, making derogatory comments regarding race and ethnicity, including complaints about “Fucking Black People” and “nasty Jews.”

“Ryan’s public persona is different from who he is,” John Da Grosa Smith, Millsap’s former attorney, alleges in one filing, adding: “Ryan works hard to mislead and hide the truth. And he is very good at it.”

Smith submitted troves of text messages between Millsap and his former girlfriend as evidence in two separate cases in Fulton County Superior Court. The messages, reviewed by ProPublica and The Atlanta Journal-Constitution, represent a fraction of the evidence in a complex, yearslong dispute centered on compensation for the work Smith performed for Millsap.

In response to a request for an interview about the text messages and related cases, Millsap wrote that this “sounds like a strange situation,” asking “how this came up” and requesting to review the material. After ProPublica and the AJC provided the material cited in this story, he did not respond to multiple requests for comment.

Many of the text messages filed with the court were sent in 2019, an important year for Millsap. He was planning an expansion of his Blackhall Studios that would nearly triple its soundstage space. Instead, Millsap ended up selling Blackhall, now called Shadowbox, for $120 million in 2021. The following year he announced plans to build a massive new complex in Newton County, about 40 miles east of Atlanta.

Smith started working for Millsap in August 2019, representing the film executive and his companies in a lawsuit brought by a business associate who claimed a stake in Blackhall. In May 2020, Smith became Blackhall Real Estate’s chief legal counsel.

Their relationship soured in early 2021. In the ensuing feud, Smith claimed that Millsap had promised him a third of his family company, as well as compensation for extra legal work — and, in a letter from his attorney, demanded that Millsap pay him $24 million within four business days: “We, however, have no interest in harming Mr. Millsap or disrupting his deal, his impending marriage, his future deals, or anything else.”

In the arbitration proceeding that followed, Millsap’s attorneys described the letter as “extortionate” and claimed that Smith was trying to “blow up” Millsap’s personal and business life and stall the sale of Blackhall Studios. “Smith breached the most sacred of bonds that exist between a lawyer and his or her clients: the duty of loyalty,” lawyers for Millsap later wrote.

In the same proceeding, Smith accused Millsap of firing him after he raised allegations of a hostile and discriminatory workplace, referencing Millsap’s text messages. Smith’s late father was Jewish.

In January 2023, an arbitrator sided with Millsap, ordering that Smith pay him and his companies $3.7 million for breach of contract and breach of fiduciary duty. She ruled that Smith’s conduct was “egregious and intended to inflict economic injury on his clients.”

Through his attorney, Smith declined to be interviewed. In response to a list of questions, he wrote, “This has been a tireless campaign of false narratives and retaliation against me for more than three years.” He claimed that his employment agreement with Millsap guaranteed him a cut of the profits he helped generate and that an expert estimated his share to be between $17 million and $39 million.

Even as Millsap won his legal fight with his former attorney, Smith has continued to press the court battle. In an April 2023 motion to vacate, Smith called the arbitration process a “sham” and the award a “fraud,” and he is now appealing a judge’s decision to uphold the award. In January, a lawyer for Smith filed hundreds of pages of Millsap’s texts in a separate legal dispute in which Millsap is not a party.

In a city with dominant Black representation and a significant Jewish population, maintaining a positive relationship with these communities — or at least the appearance of one — is essential to doing business.

“Mr. Millsap knows,” Smith alleged in one filing, “these text messages are perilous for him.”

On a Thursday night in January 2019, Millsap stood near the pulpit at Welcome Friend Baptist, a Black church 10 miles from downtown Atlanta in DeKalb County, near where he was planning the expansion of his movie studio.

Securing support from the community would be key in convincing the county commission to approve a land-swap deal that would be necessary for the expansion. Several commissioners saw the project, including Millsap’s promise to create thousands of jobs, as a way to revitalize the area.

Dozens of longtime residents, most of them Black, sat in the sanctuary’s colorful upholstered chairs. The attendees received information sheets on Blackhall’s plans, which cited $3.8 million in public improvements, including the creation of a new public park. They asked about internship opportunities for their children and restaurants Millsap might help bring.

Millsap raised the possibility of a restaurant, one he said could offer healthy meals. Several older Black women in the church nodded in agreement and one clapped, Millsap’s pitch seemingly helping him appeal to those whose buy-in he needed.

Two months later, Millsap sent his then-girlfriend a text that Smith’s lawyers later alleged shows he “laments his political work with African Americans and his distaste for having to do it.”

In the text exchange, which was filed in court, Millsap wrote: “Well, it’s like me w black people in ATL!! Bahahahahaha!! Political nonsense everywhere!! … I’m so ready to be finished w that.”

Messages sent between Ryan Millsap (green) and Christy Hockmeyer (blue) in 2019 (Screenshot from a court exhibit filed by John Da Grosa Smith’s attorney in January)

In another text filed in court, Millsap’s girlfriend alluded to the damage she’d caused another vehicle in a car accident: “So the black girl wants $2500 to fix her car on a quote that was $1800.” He responded that she should pay the woman rather than filing an insurance claim, adding, “Fucking Black People.”

Messages sent between Ryan Millsap (green) and Christy Hockmeyer (blue) in 2019 (Screenshot from a court exhibit filed by John Da Grosa Smith’s attorney in January)

Court records and Millsap’s own testimony show that his girlfriend at the time, Christy Hockmeyer, was an investor in his real estate company, and their text messages show she played an active role in his business dealings. In a filing that claims the company had a “hostile and discriminatory work environment,” Smith alleged that Blackhall Real Estate “through its CEO, Ryan Millsap, and one of its influential investors, Christy Hockmeyer, disfavors African- Americans and Jews.”

When Hockmeyer texted Millsap after a doctor’s visit, complaining that a nurse was “retarded,” Millsap responded: “Not shocked. Black or Asian?” Hockmeyer wrote back: “Black.” Millsap replied, “Yes.”

Messages sent between Ryan Millsap (green) and Christy Hockmeyer (blue) in 2019 (Screenshot from a court exhibit filed by John Da Grosa Smith’s attorney in January)

In other exchanges filed with the court, Hockmeyer complained to Millsap, “My uber driver smells like a black person. Yuck!” He echoed her sentiment, writing back, “Yuck!” While on a flight, Hockmeyer wrote to Millsap that a “large smelly black man is seated next to me.” Millsap wrote back, “Yucko!!”

And while passing through an airport in France, Millsap texted Hockmeyer, “The smells here are unreal” and “I can't even imagine if your sensitive nose was here!!”

Hockmeyer responded, “I am so self conscious about bodily smells because there is nothing worse. I mean. Makes you dread it when you see a black person.”

Messages sent between Ryan Millsap (green) and Christy Hockmeyer (blue) in 2019 (Screenshot from a court exhibit filed by John Da Grosa Smith’s attorney in January)

Smith alleged that the conversations between Millsap and Hockmeyer reveal how they think about people with whom they conduct business. “The insidious belief that ‘black’ people are beneath them and not worthy of being hired is a theme that persists in their private writings to one another,” Smith said in the filing.

At a time in 2019 when Millsap was looking to hire an executive with a track record in the Atlanta film industry, Hockmeyer texted him that he might consider bringing on someone from Tyler Perry Studios, a 12-stage southwest Atlanta lot named after its founder, one of the highest-profile Black film producers in the country. “And taking someone from Tyler Perry would be fine too,” she wrote in a text exchange filed with the court. “As long as they are white.”

She also offered another name for Millsap to consider, adding: “He’s even a Jew. That’s good for this role.” Millsap responded, “Teeny tiniest Jew.”

On another occasion, Hockmeyer “opined that Anglo-Americans do not do business with Jewish people,” Smith alleged in a court filing, referencing a text message exchange in which she wrote to Millsap: “You know why wasps won’t do deals with Jews? Because they know that Jews have a different play book and they might get screwed.” Smith also claimed in a court filing that Millsap described to Hockmeyer “a terrible meeting with one of the most nasty Jews I’ve ever encountered.”

In an email to ProPublica and the AJC, Hockmeyer wrote: “I severed all personal and professional ties with Mr. Millsap years ago because our values, ethics, and beliefs did not align. As a passive investor in Blackhall, I was not involved in the day-to-day operations of the company, nor have I been party to any of the lawsuits involving Blackhall. I consistently encouraged Mr. Millsap to treat his investors and community supporters with fairness and respect.”

In a subsequent email, she apologized for the texts between her and Millsap. “There were times when I may have become angry or emotional and tacitly acknowledged statements he made or said things that do not reflect my values or beliefs, and I deeply regret that,” she wrote, adding: “I made comments and used language that was inappropriate. I referred to people in ways I shouldn’t have. I’m sincerely sorry for what I said. Those comments do not reflect who I am and I disavow racism and antisemitism as a whole.”

Smith claimed in a court filing that Millsap regularly expressed disrespect toward Jewish people, describing three of his Jewish colleagues and investors as “the Jew crew,” calling one of them “a greedy Israelite” and saying another had “Jew jitsued” him. Millsap concluded, according to Smith, that “no friendship comes before money in that tribe.”

During the arbitration, Millsap testified in August 2022 that his remarks about people of the Jewish faith constituted “locker room talk.”

In December 2019, Millsap received several warnings from Hockmeyer, according to arbitration records that highlight excerpts from some of her text messages. (Other exhibits in the case show the couple’s relationship had become strained around that time.)

“Ryan you have to understand why people are over your bulls**t,” she wrote that month, according to the records. “They feel lied to taken advantage of and stolen from.”

The following month, she wrote: “Wow. You are going to get lit the f**k up. Holy s**t you are such a bad person. You are a f**king crook!”

During the arbitration hearing, one of Smith’s attorneys asked Millsap about some of Hockmeyer’s December 2019 warnings. He responded, “These are the text messages of a very angry ex-girlfriend.”

As Smith began taking on more responsibility for his client in 2020, Millsap continued to connect with Black influencers and cement himself as a cultural force in Atlanta.

In December of that year, Millsap was a guest on an episode of actor and rapper T.I.’s “Expeditiously” podcast. After discussing the differences between the Atlanta and Los Angeles entertainment markets, Millsap praised what he called “a very robust, Black creative vortex” in Atlanta. And he went on to offer more praise. “There seems like a particular magic in Atlanta about being Black.”

He also talked about his studio expansion plans amid the land-swap deal in a majority-Black DeKalb County neighborhood, telling T.I., “It’s been a fascinating study in race actually.”

Millsap went on to explain how his business interests aligned with the desires of residents. “What pushed this through was Black commissioners supporting their Black residents who wanted to see this happen, right?” he said. “They’re fighting against one white commissioner and a lot of her white constituents who took it upon themselves to be against this when they’re not even the residents who live nearby.”

One evening in August 2021, Millsap stepped onto the stage at the Coca-Cola Roxy theater in Cobb County. He and a dozen other people had been named the year’s Most Admired CEOs, an honor awarded by the Atlanta Business Chronicle. The CEO’s were recognized for, among other things, their “commitment to diversity in the workplace.”

As the dispute between Smith and Millsap unfolded, Millsap expanded his business interests to Newton County, where he purchased a $14 million, 1,500-acre lot in 2022. He said at the time that his vision is to make Georgia a “King Kong of entertainment” by building a production complex on the site and launching a streaming service that, in his words, would be “something on the scale of Netflix.” He later invested in a vodka brand with the aim, he said, of it becoming “quintessentially” Georgia, “like Coca-Cola and Delta.”

Earlier this year, Millsap sat down in his stately home office, decorated with Atlanta-centric trinkets like a model Delta plane, to record an episode of his “Blackhall Podcast with Ryan Millsap.” T.I. has been a guest, as have Isaac Hayes III, son of the iconic soul singer Isaac Hayes and a social media startup founder, and Speech, the frontman for the Atlanta-based, Grammy-winning musical act Arrested Development.

On this day, Millsap talked about race and culture, pointing out that one of his best friends is a “Persian Jew in LA.”

Millsap noted that his understanding of “Black and white” was formed on the West Coast, where he had “a lot of Black friends” — “very Caucasian Black people” who had adopted white cultural norms.

“I grew up thinking like I had no racial prejudice of any kind,” Millsap said. “I thought we were beyond all that stuff.”

Rosie Manins of The Atlanta Journal-Constitution contributed reporting.