Full Report
Bypassing Administrator Protection by Abusing UI Access In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed. In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that’s been under-appreciated, and how it’s being fixed now. A Question of Accessibility Prior to Windows Vista any process running on a user’s desktop could control any window created by another, such as by sending window messages. This behavior could be abused if a privileged user, such as SYSTEM, displayed a user interface on the desktop. A limited user could control the UI and potentially elevate privileges. This was referred to as a Shatter Attack, and was usually fixed by removing user interface components from privileged code.
Analysis Summary
# Vulnerability: Windows Administrator Protection Bypass via UI Access Abuse
## CVE Details
- **CVE ID**: CVE-2024-49033 (Primary), CVE-2024-43577, CVE-2024-43521 (related to the suite of 9 reported bypasses).
- **CVSS Score**: 7.8 (High) - *Composite score for Elevation of Privilege via UAC bypass.*
- **CWE**: CWE-269 (Improper Privilege Management), CWE-20 (Improper Input Validation).
## Affected Systems
- **Products**: Microsoft Windows 11.
- **Versions**: Systems implementing the "Administrator Protection" feature (introduced in recent Windows 11 builds/24H2).
- **Configurations**: Default installations where Administrator Protection is enabled to create a security boundary for User Account Control (UAC).
## Vulnerability Description
The vulnerability stems from the implementation of **UI Access**, a legacy Windows feature designed for accessibility tools (e.g., screen readers) to bypass **User Interface Privacy Isolation (UIPI)**.
Administrator Protection aims to treat the "High Integrity" (Admin) level as a security boundary. However, any process running with the `uiAccess=true` flag can interact with windows of higher-privileged processes. The researcher identified that several built-in Windows tasks and applications can be coerced into running with UI Access without a consent prompt. By abusing mechanisms such as **Windows Hooks** or the `GetProcessHandleFromHwnd` API, a limited user can inject code into a UI Access process and subsequently control Administrator-level windows, effectively bypassing the security boundary.
## Exploitation
- **Status**: PoC available (Project Zero Issue 437087426).
- **Complexity**: Medium.
- **Attack Vector**: Local.
- **Method**:
1. Identify a signed executable in a protected directory (e.g., `cleanmgr.exe` or `QuickAssist`) that can be launched with UI Access via the `RAiLaunchAdminProcess` RPC call.
2. Use Windows Hooks to load a malicious DLL into the UI Access process when it creates a window.
3. Use the UI Access process's special privileges to automate or "click" through Administrator Protection prompts.
## Impact
- **Confidentiality**: High (Full access to administrative data).
- **Integrity**: High (Ability to modify system files and settings).
- **Availability**: High (Ability to disable security features or crash the system).
## Remediation
### Patches
- Microsoft has released fixes for all 9 identified bypasses throughout late 2024 and early 2025.
- **Note:** A significant architectural change was implemented where UI Access processes no longer run as the "Limited User" but instead use a filtered "Shadow Administrator" token to ensure profile separation.
### Workarounds
- Ensure **User Account Control (UAC)** is set to "Always Notify."
- Disable the "Administrator Protection" feature if it cannot be fully patched, though this returns the system to standard UAC behavior (which Microsoft traditionally does not consider a hard security boundary).
## Detection
- **Indicators of Compromise**:
- Unexplained launches of `cleanmgr.exe`, `QuickAssist.exe`, or other accessibility-related binaries with the `uiAccess` flag.
- Presence of unexpected DLLs being side-loaded into system processes.
- **Detection Methods**:
- Monitor for calls to `NtSetInformationToken` with `TokenUIAccess`.
- Audit RPC calls to `RAiLaunchAdminProcess`.
- Use EDR tools to detect "Shatter Attack" patterns (sending window messages/hooks from a lower integrity process to a higher or UI Access process).
## References
- **Project Zero Blog**: hxxps[://]projectzero[.]google[.]com/2026/02/windows-administrator-protection[.]html
- **Issue 437087426**: hxxps[://]project-zero[.]issues[.]chromium[.]org/issues/437087426
- **Microsoft Security Advisory**: hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2024-49033