Bug in Windows 10 and Windows 11 Allow Gaining Administrator Rights
The Windows Registry acts as a configuration repository for the Windows operating system and contains password hashes, user preferences, configuration settings for applications, system decryption keys, and more.
The database files associated with the Windows registry are stored in the C: \ Windows \ system32 \ config folder and are split into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. Since these files contain confidential information about all user accounts on the device and security tokens used by Windows features, they are not allowed to be viewed by non-elevated users.
This is especially important for the Security Account Manager (SAM) file because it contains password hashes for all users on the system that attackers can use to verify their identity.
The Windows 10 and Windows 11 registry files associated with SAM and all other registry databases are available to the low-privileged Users group on the device, Lyckegaard said. While testing Windows 11, the technician found that although the OS restricts access to these files for low-level users, the available copies of the files are stored in shadow copies. This issue appeared in Windows 10 code back in 2018, after the release of version 1809.
As temporary measures to prevent exploitation of the vulnerability, Microsoft experts recommend restricting access to the vulnerable folder and deleting shadow copies.