Defending Against Windows Administrator Protection Bypasses via UI Access

Microsoft recently introduced "Administrator Protection" as a significant evolution in the Windows User Account Control (UAC) security model. Designed to create a secure boundary for UAC where one previously did not exist, this feature aims to prevent malicious applications from silently elevating privileges. However, recent research from Google Project Zero has highlighted critical weaknesses in this new feature, specifically regarding the implementation of UI Access.

For IT and security teams, understanding these bypasses is essential. While these vulnerabilities have been addressed by Microsoft, they underscore the persistent difficulty of securing the interaction between user interfaces and privileged system contexts. This post details the mechanics of the bypass, the risks involved, and the specific steps defenders must take to secure their environments.

Technical Analysis

The Vulnerability: UI Access Abuse

At the heart of this research is the Windows "UI Access" feature. Introduced to support assistive technologies (like screen readers), UI Access allows specific applications to bypass User Interface Privilege Isolation (UIPI). This enables them to drive the input of higher-privileged processes and interact with the secure desktop (the screen where UAC prompts appear).

To qualify for UI Access, an application must generally:

1. Be signed by a valid certificate.
2. Reside in a secure file location (e.g., Program Files).
3. Be launched with a specific manifest flag declaring UI Access.

The Project Zero researcher discovered that the logic validating these conditions within the new Administrator Protection feature was flawed. In total, nine bypasses were identified before the feature's full release, with five stemming specifically from how UI Access was implemented.

The Root Cause

The research highlights that the validation logic for UI Access applications has been a long-standing, under-appreciated problem within UAC. By abusing the way Windows verifies the identity and intent of UI Access applications, an attacker could trick the system into believing a malicious payload was a trusted accessibility tool. This allowed the attacker to bypass the secure boundary intended by Administrator Protection and execute code with high privileges without the standard user consent dialogs.

Affected Systems and Severity

These vulnerabilities affect modern Windows environments utilizing the Administrator Protection feature (primarily Windows 11 builds and upcoming versions). The severity is high, as a successful bypass effectively neutralizes a primary defense against privilege escalation. Microsoft has since patched the identified bypasses, reinforcing the checks required for an application to leverage UI Access privileges.

Defensive Monitoring

Defenders should actively monitor for abuse of UI Access privileges and ensure systems are patched against these bypasses. The following scripts and queries can assist in detection and verification.

1. PowerShell: Audit for Binaries Requesting UI Access

This script scans a specified directory (e.g., C:\Program Files) for executable files that contain a manifest requesting UI Access (uiAccess="true"). This helps inventory legitimate tools and identify potentially suspicious binaries attempting to leverage this powerful capability.

# requires -RunAsAdministrator
$Path = "C:\Program Files"
$Pattern = 'uiAccess\s*=\s*"true"'

Write-Host "[+] Scanning $Path for executables requesting UI Access..." -ForegroundColor Cyan

Get-ChildItem -Path $Path -Recurse -Include *.exe -ErrorAction SilentlyContinue | ForEach-Object {
    $FilePath = $_.FullName
    try {
        # Read raw bytes to look for manifest strings (simple heuristic)
        $Content = [System.IO.File]::ReadAllText($FilePath)
        if ($Content -match $Pattern) {
            Write-Host "[!] UI Access Request Found: $FilePath" -ForegroundColor Yellow
            # Check digital signature
            $Sig = Get-AuthenticodeSignature $FilePath
            if ($Sig.Status -ne 'Valid') {
                Write-Host "    [WARNING] File is not properly signed or signature is invalid." -ForegroundColor Red
            }
        }
    } catch {
        # Ignore binary parsing errors for non-text files
    }
}
Write-Host "[+] Scan complete." -ForegroundColor Green

2. KQL: Detect Suspicious High-Integrity Process Creations

This query for Microsoft Sentinel or Defender for Endpoint detects processes running with high integrity (System or Admin) that are unsigned or located in user-writable paths, which may indicate a bypass attempt.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where isnotempty(ProcessIntegrityLevel)
| where ProcessIntegrityLevel in ("High", "System")
// Exclude known signed Microsoft binaries
| where InitiatingProcessAccountName != "SYSTEM"
| where ProcessVersionInfoHasSignature == false orFolderPath contains "Users"
| project Timestamp, DeviceName, FileName, FolderPath, ProcessIntegrityLevel, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Remediation

To protect your organization against these bypasses and strengthen your UAC defenses, implement the following remediation steps:

1. Apply Latest Windows Security Updates Ensure all endpoints are updated with the latest cumulative updates from Microsoft. The fixes for the nine bypasses identified by Project Zero are included in recent patch releases. Prioritize patching for workstations where users frequently run with standard user accounts but require local admin rights for specific tasks.

2. Enforce Strict Code Signing Policies Since UI Access requires valid code signing, enforcing application control policies like Windows Defender Application Control (WDAC) can prevent unsigned or improperly signed binaries from leveraging UIAccess. Ensure that only trusted accessibility vendors are allowed in your allow-list.

3. Review Installed Accessibility Software Audit your environment for legitimate assistive technologies. Ensure that any software requiring UI Access is necessary, up-to-date, and verified. Remove any legacy or unknown accessibility tools that could serve as a potential attack vector.

4. Monitor for Administrator Protection Status As Administrator Protection rolls out, verify its status via Group Policy or Intune settings. Ensure it is enabled for standard user profiles to provide the intended security boundary against malware attempting elevation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub