TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Google Project Zero

Bypassing Windows Administrator Protection

James Forshaw · 2026-01-26 · Read original ↗

ATT&CK techniques detected

45 predictions
T1548.002Bypass User Account Control
100%
"running as the shadow administrator. get a process executing as an administrator without showing a prompt. the prompt being a boundary is important, there ’ s a number of uac bypasses, such as those which rely on elevated com objects that would still work in administrator protect…"
T1548.002Bypass User Account Control
99%
"acquire administrator privileges as most routes still showed a prompt to the user. unfortunately, microsoft decided to reduce the number of elevation prompts a user would see when modifying system configuration and introduced an “ auto - elevation ” feature in windows 7. select m…"
T1548.002Bypass User Account Control
99%
"able to get administrator privileges even if that ’ s just by forcing a user to accept the elevation prompt, but any silent bypasses they might use should get fixed which would be a significant improvement on the current situation. regardless of all that, the safest way to use wi…"
T1548.002Bypass User Account Control
99%
") ( objectinherit, containerinherit ) ( full access ) creator owner : ( allowed ) ( objectinherit, containerinherit, inheritonly ) ( genericall ) the directory cannot be written to by a non - administrator user, but as this code is called in the security context of the user it ne…"
T1548.002Bypass User Account Control
98%
"bypassing windows administrator protection a headline feature introduced in the latest release of windows 11, 25h2 is administrator protection. the goal of this feature is to replace user account control ( uac ) with a more robust and importantly, securable system to allow a loca…"
T1548.002Bypass User Account Control
98%
"9 separate means to bypass the feature and silently gain administrator privileges. some of the bypasses were long standing uac issues with publicly available test cases. others were due to implementation flaws in the feature itself. but the most interesting bug class was where th…"
T1548.002Bypass User Account Control
95%
"t change. the problem administration protection is trying to solve uac was introduced in windows vista to facilitate granting a user administrator privileges temporarily, while the majority of the user ’ s processes run with limited privileges. unfortunately, due to the way it wa…"
T1055.001Dynamic-link Library Injection
95%
"global object directory, the logon session specific directory is checked first and so it can be overridden. if a user can write into another logon session ’ s dos device object directory they can redirect any file access to the system drive. for example you could redirect system …"
T1548.002Bypass User Account Control
95%
"##igated then it can be made a secure boundary which not only requires more work to bypass but also any vulnerabilities in the implementation could be fixed as security issues. in fact there is already a more secure mechanism that uac can use that doesn ’ t suffer from many of th…"
T1134Access Token Manipulation
95%
"is this useful? i noticed a long time ago that this behavior is a potential uac bypass, in fact it ’ s a potential eop, but uac bypass was the most likely outcome. specifically it ’ s possible to get a handle to the access token for the administrator user by calling ntqueryinform…"
T1134.002Create Process with Token
93%
"ps > $ d = invoke - nttoken $ t { new - ntdirectory } ps > $ d. securitydescriptor. owner. sid. name nt authority \ anonymous logon # impersonate at identification level ps > $ d = invoke - nttoken $ t - impersonationlevel identification { new - ntdirectory } ps > $ d. securityde…"
T1134Access Token Manipulation
93%
"to hijack the system drive. let the process resume and wait for a redirected dll to be loaded. final thoughts the bypass was interesting because it ’ s hard to point to the specific bug that causes it. the vulnerability is a result of 5 separate os behaviors : the administrator p…"
T1134Access Token Manipulation
93%
", first creating an elevated process suspended will require clicking through an elevation prompt. for uac with auto - elevation this wasn ’ t a problem, but for administrator protection it will always prompt, and showing a prompt isn ’ t considered to be crossing the security bou…"
T1134Access Token Manipulation
91%
"as a reference in the access token created during the logon process, so that it can be easily referred to during any kernel operations using the token. you can find the unique 64 - bit authentication id for the session by querying the token using the ntqueryinformationtoken syste…"
T1134Access Token Manipulation
90%
"$ auth _ id " get - ntdirectory : ( 0xc0000034 ) - object name not found. while in theory we can now force the creation of the dos device object directory, unfortunately this doesn ’ t help us much. as the uac service also uses tokenlinkedtoken to get the token to create the new …"
T1134.002Create Process with Token
88%
"$ auth _ id " get - ntdirectory : ( 0xc0000034 ) - object name not found. while in theory we can now force the creation of the dos device object directory, unfortunately this doesn ’ t help us much. as the uac service also uses tokenlinkedtoken to get the token to create the new …"
T1134Access Token Manipulation
87%
"created it ’ ll use the owner from the identification token which would be the local administrator ’ s group. but we can change the token ’ s owner sid to the user ’ s sid before impersonation, as that ’ s a permitted operation. now the final dos device object directory will be o…"
T1134Access Token Manipulation
86%
"t change. the problem administration protection is trying to solve uac was introduced in windows vista to facilitate granting a user administrator privileges temporarily, while the majority of the user ’ s processes run with limited privileges. unfortunately, due to the way it wa…"
T1548.002Bypass User Account Control
84%
"i wanted to help them find issues in the implementation during the insider preview stage. no doubt part of the reason they reached out was my history of finding complex logical uac bypasses. also, i ’ d already taken a brief look and noted that the feature was still vulnerable to…"
T1548.002Bypass User Account Control
83%
"created it ’ ll use the owner from the identification token which would be the local administrator ’ s group. but we can change the token ’ s owner sid to the user ’ s sid before impersonation, as that ’ s a permitted operation. now the final dos device object directory will be o…"
T1548.002Bypass User Account Control
77%
"my views on administrator protection as a feature, i feel that microsoft have not been as bold as they could have been. making small tweaks to uac resulted in carrying along the almost 20 years of unfixed bypasses which manifest as security vulnerabilities in the feature. what i …"
T1134.002Create Process with Token
76%
"##ate the new token over the call to createprocessasuser to ensure you don ’ t allow a user to create a process for an executable file they can ’ t access. the uac service is doing this correctly, so surely it must have accessed a drive to create the process and the dos device ob…"
T1548.002Bypass User Account Control
76%
"is this useful? i noticed a long time ago that this behavior is a potential uac bypass, in fact it ’ s a potential eop, but uac bypass was the most likely outcome. specifically it ’ s possible to get a handle to the access token for the administrator user by calling ntqueryinform…"
T1134.002Create Process with Token
76%
"to hijack the system drive. let the process resume and wait for a redirected dll to be loaded. final thoughts the bypass was interesting because it ’ s hard to point to the specific bug that causes it. the vulnerability is a result of 5 separate os behaviors : the administrator p…"
T1134Access Token Manipulation
75%
"is on the c : drive, which is very likely, the mitigation ignores the impersonated token ’ s dos device object directory entirely. thus segettokendevicemap never gets calls and so the first time a file is accessed under the logon session is once the process is up and running. as …"
T1134Access Token Manipulation
75%
"##ing administrator protection fast forward to today, and along comes administrator protection. for reasons of compatibility microsoft made calling ntqueryinformationtoken with the tokenlinkedtoken information class still returns an identification handle to the administrator toke…"
T1548.002Bypass User Account Control
74%
"you can ’ t use the “ legacy ” mode and administrator protection at the same time. if you want to enable it there ’ s currently no ui to do so but you can modify the local security policy to do so. the big question, will this make uac a securable boundary so malware no longer has…"
T1134.002Create Process with Token
73%
"is on the c : drive, which is very likely, the mitigation ignores the impersonated token ’ s dos device object directory entirely. thus segettokendevicemap never gets calls and so the first time a file is accessed under the logon session is once the process is up and running. as …"
T1134.001Token Impersonation/Theft
70%
"differs from the limited user ’ s. therefore setting either of these sids as the owner doesn ’ t help us when it comes to accessing the directory after creation. turns out this isn ’ t a problem as i was not telling the whole truth about the owner assignment process. when buildin…"
T1548.002Bypass User Account Control
68%
"##ate the new token over the call to createprocessasuser to ensure you don ’ t allow a user to create a process for an executable file they can ’ t access. the uac service is doing this correctly, so surely it must have accessed a drive to create the process and the dos device ob…"
T1134.002Create Process with Token
67%
"differs from the limited user ’ s. therefore setting either of these sids as the owner doesn ’ t help us when it comes to accessing the directory after creation. turns out this isn ’ t a problem as i was not telling the whole truth about the owner assignment process. when buildin…"
T1134Access Token Manipulation
59%
"##ate the new token over the call to createprocessasuser to ensure you don ’ t allow a user to create a process for an executable file they can ’ t access. the uac service is doing this correctly, so surely it must have accessed a drive to create the process and the dos device ob…"
T1134.001Token Impersonation/Theft
59%
"is on the c : drive, which is very likely, the mitigation ignores the impersonated token ’ s dos device object directory entirely. thus segettokendevicemap never gets calls and so the first time a file is accessed under the logon session is once the process is up and running. as …"
T1134.002Create Process with Token
56%
", first creating an elevated process suspended will require clicking through an elevation prompt. for uac with auto - elevation this wasn ’ t a problem, but for administrator protection it will always prompt, and showing a prompt isn ’ t considered to be crossing the security bou…"
T1548.002Bypass User Account Control
55%
", first creating an elevated process suspended will require clicking through an elevation prompt. for uac with auto - elevation this wasn ’ t a problem, but for administrator protection it will always prompt, and showing a prompt isn ’ t considered to be crossing the security bou…"
T1134.001Token Impersonation/Theft
51%
"ps > $ d = invoke - nttoken $ t { new - ntdirectory } ps > $ d. securitydescriptor. owner. sid. name nt authority \ anonymous logon # impersonate at identification level ps > $ d = invoke - nttoken $ t - impersonationlevel identification { new - ntdirectory } ps > $ d. securityde…"
T1548.002Bypass User Account Control
50%
"unfortunately, the mechanism is difficult to use securely in practice as sharing the credentials to another local administrator account would be a big risk. thus it ’ s primarily useful as a means for technical support where a sysadmin types in the credentials over the user ’ s s…"
T1548Abuse Elevation Control Mechanism
49%
"9 separate means to bypass the feature and silently gain administrator privileges. some of the bypasses were long standing uac issues with publicly available test cases. others were due to implementation flaws in the feature itself. but the most interesting bug class was where th…"
T1546.008Accessibility Features
47%
"bypassing windows administrator protection a headline feature introduced in the latest release of windows 11, 25h2 is administrator protection. the goal of this feature is to replace user account control ( uac ) with a more robust and importantly, securable system to allow a loca…"
T1134.002Create Process with Token
46%
"is this useful? i noticed a long time ago that this behavior is a potential uac bypass, in fact it ’ s a potential eop, but uac bypass was the most likely outcome. specifically it ’ s possible to get a handle to the access token for the administrator user by calling ntqueryinform…"
T1134.002Create Process with Token
42%
"created it ’ ll use the owner from the identification token which would be the local administrator ’ s group. but we can change the token ’ s owner sid to the user ’ s sid before impersonation, as that ’ s a permitted operation. now the final dos device object directory will be o…"
T1134.002Create Process with Token
37%
"as a reference in the access token created during the logon process, so that it can be easily referred to during any kernel operations using the token. you can find the unique 64 - bit authentication id for the session by querying the token using the ntqueryinformationtoken syste…"
T1548Abuse Elevation Control Mechanism
36%
"bypassing windows administrator protection a headline feature introduced in the latest release of windows 11, 25h2 is administrator protection. the goal of this feature is to replace user account control ( uac ) with a more robust and importantly, securable system to allow a loca…"
T1134.002Create Process with Token
33%
"##ing administrator protection fast forward to today, and along comes administrator protection. for reasons of compatibility microsoft made calling ntqueryinformationtoken with the tokenlinkedtoken information class still returns an identification handle to the administrator toke…"
T1546.008Accessibility Features
33%
"9 separate means to bypass the feature and silently gain administrator privileges. some of the bypasses were long standing uac issues with publicly available test cases. others were due to implementation flaws in the feature itself. but the most interesting bug class was where th…"

Summary

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11. Finally I’ll detail one of the nine separate vulnerabilities that I found to bypass the feature to silently gain full administrator privileges. All the issues that I reported to Microsoft have been fixed, either prior to the feature being officially released (in optional update KB5067036) or as subsequent security bulletins. Note: As of 1st December 2025 the Administrator Protection feature has been disabled by Microsoft while an application compatibility issue is dealt with. The issue is unlikely to be related to anything described in this blog post so the analysis doesn’t change.