Microsoft's flagship security upgrade for Windows 11 had a close call: a researcher found nine different ways to bypass it during testing.
Google Project Zero researcher James Forshaw discovered multiple vulnerabilities in Administrator Protection during its insider preview phase—a feature designed to replace the notoriously weak User Account Control (UAC) system, which has been silently compromised by malware for years.
Microsoft fixed all the issues before and shortly after the official release in Windows 11 version 25H2, though the feature aimed to create an actual security boundary—something UAC never achieved in its 18-year existence.
"I couldn't help myself and decided to at least take a look," Forshaw wrote, detailing how Microsoft reached out for his expertise during the insider preview phase. What he found was concerning: despite good intentions, the new system inherited nearly two decades of unfixed UAC bypasses.
The Shadow Account Weakness
Administrator Protection works by creating a "shadow administrator" account that runs elevated processes separately from your regular user account. Unlike UAC, where your limited and admin accounts share the same profile (making hijacking trivial), this shadow account should have been isolated.
The most elegant bypass Forshaw discovered exploited something called DOS device object directories—essentially the way Windows maps drive letters like C:. By manipulating logon sessions (unique identifiers assigned when you authenticate), he could hijack the C: drive of administrator processes before they fully started, forcing them to load malicious code.
The vulnerability required five separate Windows behaviors to align perfectly, including a recent security mitigation that ironically made the exploit possible. "It's hard to point to the specific bug that causes it," Forshaw noted.
Note: As of 1st December 2025, the Administrator Protection feature has been disabled by Microsoft while an application compatibility issue is dealt with. The issue is unlikely to be related to anything described in this blog post, so the analysis doesn’t change.
What This Means for Users
Microsoft fixed all reported issues either before the official release through the optional update KB5067036 or via subsequent security bulletins. The feature launched successfully in Windows 11 25H2, but was later disabled on December 1, 2025, due to unrelated application compatibility problems.
Forshaw's assessment is mixed: "I do think it improves security over admin-approval UAC assuming it becomes enabled by default," he wrote, while criticizing Microsoft for not being "bold" enough with the redesign.
His advice remains unchanged: never run Windows as an administrator if you can avoid it, regardless of which UAC version you're using. The safest approach is to limit admin privileges entirely and, obviously, not get malware on your machine in the first place.
For now, Administrator Protection remains disabled while Microsoft works out compatibility issues—a reminder that even well-intentioned security features need thorough vetting before deployment.