Google researcher James Forshaw discovered nine vulnerabilities in Windows Administrator Protection, leveraging old UAC bypass techniques that became exploitable with the new security feature.
Microsoft has patched a series of vulnerabilities in Windows Administrator Protection, a new security feature designed to limit user privileges, after Google researcher James Forshaw of Project Zero discovered nine separate flaws that could allow attackers to silently elevate their privileges on affected systems.
The vulnerabilities, reported in December 2025, primarily exploited previously known User Account Control (UAC) issues that Forshaw had been aware of for years. However, these old techniques became practically exploitable only after the introduction of Windows Administrator Protection, which creates a unique logon session each time a user requests elevated privileges.
How Windows Administrator Protection Works
Windows Administrator Protection aims to ensure users operate with the least privileges necessary. While users can grant themselves admin privileges on the fly, these elevated permissions are only granted in pre-approved circumstances and automatically revoked as each process ends.
The feature differs from traditional UAC by using a hidden shadow admin account. When calling the NtQueryInformationToken API function, the system can return this shadow admin account's token handle, which attackers can then manipulate.
The Most Critical Vulnerability
The most notable of the nine bugs Forshaw reported involved a Logon Sessions flaw that relied on five different Windows behaviors. This vulnerability centered on how Windows handles DOS device object directories for specific user sessions.
Because the Windows kernel creates a DOS device object directory on demand rather than at login, it cannot verify whether the user is an admin during the creation process. Forshaw noted he likely discovered this behavior because of his familiarity with Windows' "weird behavior when creating the DOS device object directory."
The Exploitation Chain
Here's how the attack works: An attacker can modify the token's owner security identifier to match their own user ID. By impersonating this token, they can force the kernel to create a new directory and assign ownership to themselves, effectively gaining control over it.
Forshaw explained the technical details: "As access checking is disabled, the creation will still succeed; however, once it's created, the kernel will do an access check for the directory itself and will fail due to the identification token being impersonated."
Why These Old Bugs Suddenly Became Dangerous
The introduction of Windows Administrator Protection changed the exploitation landscape. Unlike UAC, which doesn't create new logon sessions for privilege elevation, Administrator Protection generates a unique session each time admin privileges are requested.
Additionally, Microsoft had implemented a security mitigation to prevent C drive hijacking, which causes the system service launching the process to ignore the impersonated token's DOS device object directory. This combination of factors made the old UAC bypass techniques practically exploitable for the first time.
Microsoft's Fix
Microsoft addressed these vulnerabilities by preventing DOS device object directory creation when impersonating a shadow admin token at the identification level. This mitigation blocks the exploitation chain that Forshaw discovered.
Forshaw noted the significance of this discovery: "This issue is interesting, not just because it allowed me to bypass the protection but also because it was a potential UAC bypass that I had known about for many years, but only became practically exploitable because of the introduction of this feature."
Current Status and Availability
Microsoft has not yet made Windows Administrator Protection available for general release builds. Currently, only Windows Insider Canary users can test and experiment with the feature. This limited availability may have contributed to the delay in discovering these vulnerabilities before the feature's broader rollout.
The discovery highlights an important lesson in security feature development: new protections can inadvertently make old vulnerabilities exploitable in ways that weren't previously possible, requiring security researchers to continually reassess the threat landscape as operating systems evolve.
Comments
Please log in or register to join the discussion