Quite a defeat for Microsoft. The new Administrator Protection was intended to make Windows more secure. An expert tricks the new super protection several times.
Windows is much more secure today than it was a few years ago Administrator Protection (AP) Microsoft wants to protect its system even better. The new protective function only started with Windows 11 25H2 for Windows Insiders and is intended to replace the User Account Control (UAC) in Windows 11, which has been criticized for years.
UAC is no longer considered a real security barrier, as attackers know numerous methods to gain admin rights without asking. James Forshaw from Google Project Zero developed the new protection mechanism examinedby the way, at the request of Microsoft.
The result is sobering: Forshaw found nine different ways to bypass Administrator Protection without the user noticing.
Administrator Protection: New protection in Windows
Administrator protection takes a different approach than user account control: instead of directly granting the logged in user elevated rights, Windows works with a separate shadow administrator who only becomes active when necessary. In the future, confirmations should also be possible without classic admin passwords, for example via Windows Hello.
A temporary, separate admin account is created for admin processes, the so-called System Managed Administrator Account (SMAA). This receives increased rights, but is discarded after completion and cannot be taken over by malware.
New protection vulnerable
The core of the problem lies deep inside Windows. For increased processes, AP creates new so-called logon sessions, which are responsible, among other things, for assigning drives. However, these assignments can be manipulated within a short time window. Attackers can then cause a legitimate admin process to suddenly load code from a compromised location with full administrator rights.
Particularly explosive: The bypasses work without the classic UAC dialog. An attacker with local access could run malicious code in the background as an administrator while the user remains unaware. Microsoft actually wanted to prevent such silent rights expansions with Administrator Protection.
The weaknesses were reported to Microsoft a long time ago and with a Fixed optional Windows update. Nevertheless, Microsoft pulled the ripcord: Administrator Protection was temporarily deactivated at the end of 2025.
Despite the problems, the conclusion is not entirely negative. According to Forshaw, Administrator Protection is more secure than the old UAC because many known bypass tricks no longer work. At the same time, however, the case shows how difficult it is to subsequently secure a historically developed system like Windows.
About the Author
