Google Project Zero researcher James Forshaw details a complex vulnerability he discovered in Windows 11's new Administrator Protection feature, which aims to replace UAC with a more secure privilege elevation system. The bypass exploits a chain of five OS behaviors involving logon sessions, DOS device object directories, and kernel-level access checking. Forshaw found nine separate bypasses during insider preview testing, all of which were fixed before or shortly after release. The article provides deep technical analysis of the vulnerability, explains why Administrator Protection still carries forward UAC's legacy issues, and offers perspective on whether the feature successfully establishes a defensible security boundary.
Table of contents
The Problem Administration Protection is Trying to SolveResearching Administrator ProtectionLogon SessionsCreating a DOS Device Object DirectoryBypassing Administrator ProtectionFinal ThoughtsSort: