Full Report
Google researcher sits on UAC bypass for ages, only for it to become valid with new security feature Microsoft patched a bevy of bugs that allowed bypasses of Windows Administrator Protection before the feature was made available earlier this month.…
Analysis Summary
# Vulnerability: Windows Administrator Protection Bypass via Logon Session Flaws
## CVE Details
- CVE ID: Not assigned/disclosed in summary (Multiple related issues reported)
- CVSS Score: Not scored in summary
- CWE: Likely CWE-264 (Permissions, Privileges, and Access Controls) or related to improper token/session handling.
## Affected Systems
- Products: Microsoft Windows (Implementing Administrator Protection feature)
- Versions: Windows Insider Canary builds where Administrator Protection was first introduced (specific version numbers not provided).
- Configurations: Systems running Windows with the new 'Administrator Protection' feature enabled.
## Vulnerability Description
James Forshaw of Google Project Zero reported nine vulnerabilities related to User Account Control (UAC) bypasses that become dangerous when Microsoft's new Administrator Protection feature is active. The most notable flaw involves a **Logon Sessions** issue exploiting the OS's "weird behavior when creating the DOS device object directory."
The vulnerability hinges on how Windows creates DOS device object directories on demand for specific user sessions without immediately checking admin status. Attackers can exploit this by leveraging a hidden shadow admin account token provided by Administrator Protection. By calling `NtQueryInformationToken`, an attacker can modify the token's owner Security Identifier (SID) to match their own.
When impersonating this modified token, the attacker causes the kernel to create a new directory which is assigned ownership to them (as access checking is disabled during creation via the impersonated token). While a subsequent access check might fail, the exploit chain involves redirecting the process's C drive by exploiting this device directory creation before file access occurs, effectively bypassing the intended protection level set by Administrator Protection.
## Exploitation
- Status: Researcher-discovered. Likely PoC available internally/with vendor.
- Complexity: Medium to High (Relies on precise timing, five unique behaviors, and specific OS internal knowledge). Attackers must execute steps before a standard process accesses a file.
- Attack Vector: Local (Requires an existing user session to gain privileges).
## Impact
- Confidentiality: Potential information disclosure depending on subsequent actions.
- Integrity: High – Allows an attacker controlling a standard user process to elevate privileges silently, compromising system integrity controls.
- Availability: Low to Medium – Primarily focused on privilege escalation rather than denial of service.
## Remediation
### Patches
- Microsoft fixed the specific vulnerability by: **Preventing DOS device object directory creation when impersonating a shadow admin token at the identification level.** (Specific patch KB numbers or build releases are not provided in the summary).
### Workarounds
- As Administrator Protection was only available to Insider Canary users at the time of discovery, the primary workaround for general users is to ensure they are running stable, generally available (GA) builds of Windows which do not contain this feature implementation yet.
## Detection
- Indicators of Compromise: Look for unusual system calls related to `NtQueryInformationToken` combined with attempts to create DOS device object directories during privilege elevation checks or session management operations.
- Detection methods and tools: Monitoring kernel callbacks for unauthorized token manipulation or directory creation associated with shadow admin token impersonation.
## References
- Vendor advisories: Microsoft security updates addressing the introduction and subsequent fixing of Administrator Protection features in Insider builds.
- Relevant links - defanged: hxxps://projectzero.google/2026/26/windows-administrator-protection.html