google-project-zero · Crawled Jul 5, 2026

Bypassing Windows Administrator Protection

1 IoCs
Read original article ↗

AI Summary

A security researcher identified multiple vulnerabilities in Windows 11 25H2's new Administrator Protection feature, designed to replace User Account Control (UAC). One of nine discovered bypasses allowed silent escalation to full administrator privileges by exploiting lazy initialization of per-session DOS device directories, improper access checking during object creation, and token impersonation behaviors. The vulnerabilities were reported to Microsoft and addressed in updates, including optional update KB5067036, before the feature's official release. Administrator Protection was temporarily disabled in December 2025 due to application compatibility issues unrelated to the security flaws.

AI-extracted · verify before operational use

Indicators of Compromise 1 extracted

Type Value Detail
Filename runonce.exe Details →