Researchers Disclose Design Flaws in Windows 11 Administrator Protection

Microsoft has quietly patched multiple flaws in Windows 11’s Administrator Protection feature after Google researchers showed the original design could be bypassed. These flaws could have allowed attackers to obtain administrator privileges on affected systems without user interaction.

What is Windows 11 Administrator Protection?

Administrator Protection is a security feature in Windows 11 designed to strengthen how administrator privileges are granted by replacing traditional User Account Control approval with an isolated “shadow” administrator account. It runs elevated tasks under this separate account to reduce exposure to credential theft, token abuse, and silent auto‑elevation techniques.

Microsoft is still testing this security feature and hasn’t rolled it out to all Windows 11 users yet. For now, only Windows Insiders enrolled in the experimental Canary channel can access and try it. It’s designed to make privilege escalation harder and more observable than under classic User Account Control (UAC).

Administrator Protection flaws enable privilege escalation

Google Project Zero researcher James Forshaw analyzed the Administrator Protection feature at Microsoft’s request. His research combined reverse engineering and behavioral testing of the UAC infrastructure and its interaction with the Windows kernel. He identified nine distinct ways to bypass Administrator Protection and obtain administrator privileges without user interaction.

The vulnerabilities identified in Windows Administrator Protection largely originate from a combination of long‑standing Windows behaviors and gaps introduced by the new elevation model. The researchers found that some classic UAC weaknesses still applied, while others only became exploitable because Administrator Protection changed how logon sessions and elevation tokens are created. This bug unintentionally opened new attack paths for local privilege escalation.

The most notable security bypass exploited a complex chain of privilege escalation tied to how Windows creates per‑logon system objects. It allowed a low‑privileged user to redirect drive mappings used by elevated processes by manipulating on‑demand DOS device directory creation, temporarily bypassing access checks during kernel object creation, and controlling token ownership. In practice, this flaw could let attackers run code with administrator privileges without any user interaction.

Why legacy Windows behaviors still matter?

According to the Google Project Zero researcher, this underlying behavior had existed for years but was not practically exploitable under classic UAC. However, the Administrator Protection feature introduced isolated logon sessions for each shadow administrator token. It created a window where attackers could interfere before system protections were fully established.

Microsoft has patched all these reported vulnerabilities either before public release or through later security updates. Last month, the company also temporarily disabled Administrator Protection due to other compatibility issues on Windows 11 machines.

What organizations should do next?

Organizations should ensure that all relevant security updates are applied and avoid early deployment of preview features in production environments. It’s also advised to use privilege‑management controls such as least‑privilege enforcement, application allow‑listing, and endpoint detection tools to reduce the impact of local privilege‑escalation attacks.

Additionally, security teams should treat administrator elevation as a high‑risk operation that requires monitoring and auditing. They must also log elevation events, restrict local administrator membership, and train users to recognize and report unexpected elevation prompts.