Full Report
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11. Finally I’ll detail one of the nine separate vulnerabilities that I found to bypass the feature to silently gain full administrator privileges. All the issues that I reported to Microsoft have been fixed, either prior to the feature being officially released (in optional update KB5067036) or as subsequent security bulletins. Note: As of 1st December 2025 the Administrator Protection feature has been disabled by Microsoft while an application compatibility issue is dealt with. The issue is unlikely to be related to anything described in this blog post so the analysis doesn’t change.
Analysis Summary
This summary focuses on the security findings related to the bypasses discovered for the new Windows 11 Administrator Protection feature, based solely on the provided text.
# Vulnerability: Administrator Protection Silent Bypass (One of Nine Reported)
## CVE Details
- CVE ID: Not specified in the text. (The research details one of nine vulnerabilities found in the insider preview builds.)
- CVSS Score: Not specified in the text.
- CWE: Not specified in the text.
## Affected Systems
- Products: Windows 11 (specifically the 25H2 release introducing Administrator Protection).
- Versions: Windows 11, 25H2 (Insider Preview builds where research was conducted).
- Configurations: The feature in question is Administrator Protection, intended to replace the default "admin approval" mode of UAC. The specific configuration detail leading to the vulnerability involved the creation of a DOS device object directory while impersonating a "shadow administrator token at identification level."
## Vulnerability Description
The researcher discovered nine separate vulnerabilities allowing a silent bypass of the newly introduced Administrator Protection feature, leading to unauthorized full administrator privileges for a local user. The specific vulnerability detailed involved an issue related to "weird behavior when creating the DOS device object directory" while using a specific token impersonation technique. This allowed circumvention of the new security boundary.
## Exploitation
- Status: Unknown, but the vulnerabilities were reported privately to Microsoft and subsequently fixed. The article details the discovery, implying functional exploitation in a test environment.
- Complexity: Described as a "complex vulnerability with many moving pieces."
- Attack Vector: Implied to be **Local**, as the feature is designed to protect local administrative privilege elevation.
## Impact
- Confidentiality: Full Administrator access implies maximum impact.
- Integrity: Full Administrator access implies maximum impact.
- Availability: Full Administrator access implies maximum impact.
## Remediation
### Patches
* **Security Fixes:** All nine reported issues were fixed by Microsoft.
* Some fixes predated the official release via an optional update: **KB5067036** (Released October 28, 2025).
* Other fixes were released via subsequent security bulletins.
* *Note on Feature Status:* As of December 1, 2025, the Administrator Protection feature itself has been **disabled by Microsoft** due to application compatibility issues, though this state is considered unrelated to the security flaws found.
### Workarounds
No specific vendor-recommended workarounds are detailed, other than the general assertion that the safest use is "never run as an administrator, with any version of UAC."
## Detection
- Indicators of Compromise: Not specified.
- Detection methods and tools: Not specified. (The fix was implemented by preventing DOS device object directory creation when using the specified token/level.)
## References
- Vendor Advisories: Microsoft MSRC response and fixes incorporated into KB5067036.
- Relevant links - defanged:
* Project Zero Article: hxxps://projectzero[.]google/2026/26/windows-administrator-protection[.]html
* Fix Update KB: hxxps://support[.]microsoft[.]com/en-gb/topic/october-28-2025-kb5067036-os-builds-26200-7019-and-26100-7019-preview-ec3da7dc-63ba-4b1d-ac41-cf2494d2123a