Old Windows quirks help punch through new admin defences

Steven

Old Windows quirks help punch through new admin defences

Summary

Google Project Zero researcher James Forshaw disclosed nine vulnerabilities that could allow silent elevation to administrator on machines using Microsoft’s new Windows Administrator Protection. Most of the issues stem from long‑standing User Account Control (UAC) behaviours; the most significant relied on how the Windows kernel lazily creates DOS device object directories for logon sessions.

Forshaw demonstrated an attacker could impersonate the hidden “shadow admin” token, alter the token owner SID to their own, force the kernel to create a directory they control and then redirect an elevated process’s C: drive before access checks occur. Microsoft has patched the problem by blocking DOS device object directory creation when impersonating a shadow admin token at the identification level. Forshaw noted the bug was known in the context of UAC for years but only became practically exploitable because Administrator Protection creates unique elevation logon sessions.

Key Points

  • Project Zero reported nine vulnerabilities in December that could subvert Windows Administrator Protection.
  • Most issues reuse legacy UAC behaviours and arise from the kernel’s on‑demand creation of DOS device object directories.
  • An exploit path lets an attacker impersonate the shadow admin token and change its owner SID to gain control of newly created device directories.
  • Attackers could redirect a process’s C: drive if they act before the process accesses files, enabling elevation of privileges.
  • Microsoft mitigated the issue by preventing DOS device object directory creation when impersonating shadow admin tokens.
  • The vulnerability was long‑known in a UAC context but became exploitable only after Administrator Protection introduced per‑elevation logon sessions.

Context and Relevance

This is important for Windows administrators, security teams and anyone responsible for endpoint hardening. A feature designed to enforce least privilege was briefly undermined by decades‑old OS quirks, showing how new defences can interact unpredictably with legacy behaviour. The incident underlines the need to test Insider features, keep systems patched, and monitor disclosures from Project Zero and Microsoft.

Why should I read this

Short version: if you look after Windows boxes or worry about privilege escalation, read this. It’s a neat demonstration of how old Windows oddities can wreck new protections — and that the vendor pushed a fix. Read it so you can check your estate, avoid surprises and understand how tiny OS behaviours can have big security consequences.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/28/google_windows_admin_exploit/