Microsoft's Windows 11 25H2 release introduces "Administrator Protection," a significant architectural shift designed to replace the long-standing User Account Control (UAC). While the goal is to provide a more securable mechanism for managing local administrator privileges, the introduction of new security surfaces inevitably invites scrutiny.
Recent security research identified nine separate vulnerabilities in the Administrator Protection feature during its insider preview phase. These flaws allowed attackers to bypass the new protection mechanisms entirely, silently gaining full administrator privileges without triggering the expected consent prompts. Although Microsoft addressed these issues prior to the official feature release via optional updates, defenders must understand the mechanics of these bypasses to ensure their environments are patched and monitored against similar privilege escalation techniques. This breakdown provides the technical context and necessary defensive controls.
Technical Analysis
Affected Products and Versions:
- Platform: Windows 11 (Version 25H2)
- Specific Builds: Insider Preview builds prior to official release stabilization.
Vulnerability Overview:
- Component: Administrator Protection (Replacement for UAC)
- Class: Privilege Escalation / Security Feature Bypass
- Status: Fixed (Patched in optional updates pre-release; expected in general availability rollouts).
How the Vulnerability Works: Administrator Protection functions by introducing a stricter verification layer for administrative tasks, essentially brokering requests to elevate privileges. The research detailed a specific bypass where the logic intended to verify the caller's integrity or the legitimacy of the elevation request could be circumvented.
- Attack Vector: The attacker (often with standard user access or medium integrity) executes a malicious binary or script.
- The Bypass: By exploiting a flaw in how Administrator Protection handles specific system calls or file operations (e.g., leveraging auto-elevation paths or manipulating the new broker process), the attacker tricks the system into granting high-integrity tokens.
- Impact: The attacker achieves a silent elevation to "Administrator" without the user being prompted for confirmation or credentials. This effectively provides a full compromise of the local endpoint, allowing for persistence, defense evasion, and lateral movement.
Exploitation Status: While the vulnerabilities were discovered during the preview phase and have been patched by Microsoft, the proof-of-concept (PoC) code demonstrates that the feature, if misconfigured or left unpatched, is susceptible to reliable bypasses. Defenders should treat this as a high-priority patching requirement for any 25H2 deployments.
Detection & Response
The following detection rules aim to identify suspicious behaviors associated with privilege escalation attempts, specifically targeting the techniques used to bypass UAC and similar protection mechanisms. While Administrator Protection introduces new binaries, the result of a bypass often looks similar to traditional UAC bypasses: a high-integrity shell spawned from a signed system binary.
Sigma Rules
---
title: Potential Administrator Protection / UAC Bypass via FodHelper
id: 8c8a7b6c-1234-4567-89ab-cdef12345678
status: experimental
description: Detects the suspicious spawn of a command shell (cmd.exe or powershell.exe) from FodHelper.exe, a common auto-elevating binary often abused in UAC/Admin Protection bypasses.
references:
- https://attack.mitre.org/techniques/T1548/002/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\FodHelper.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administration using FodHelper (rare)
level: high
---
title: Suspicious Child Process of ComputerDefaults
id: 9d9b8c7d-2345-5678-90bc-def123456789
status: experimental
description: Detects execution of shell commands via ComputerDefaults.exe, a known vector for bypassing UAC and potentially Administrator Protection if logic flaws exist.
references:
- https://attack.mitre.org/techniques/T1548/002/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ComputerDefaults.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection
falsepositives:
- Administrator debugging
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for the spawn of command-line interpreters (cmd, powershell) from parent processes that are typically used for auto-elevation. This is the primary behavioral indicator of a successful bypass.
// Hunt for suspicious elevation bypasses
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~("FodHelper.exe", "ComputerDefaults.exe", "eventvwr.exe", "msc.exe")
| where FileName in~("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for process creation events where the parent process is a known auto-elevation binary and the child is a shell.
-- Hunt for UAC/Admin Protection Bypass Patterns
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "FodHelper.exe"
OR Parent.Name =~ "ComputerDefaults.exe"
OR Parent.Name =~ "eventvwr.exe"
AND Name =~ "cmd.exe" OR Name =~ "powershell.exe"
Remediation Script (PowerShell)
This script verifies the current OS build to ensure it includes the fixes for the Administrator Protection bypasses (CVEs related to 25H2 preview fixes) and checks that the feature is active.
# Check Windows Build for Administrator Protection Bypass Fixes
$BuildNumber = [System.Environment]::OSVersion.Version.Build
$CurrentVersion = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$DisplayVersion = $CurrentVersion.DisplayVersion
Write-Host "Checking Windows 11 Administrator Protection Security Status..." -ForegroundColor Cyan
Write-Host "Current Build: $BuildNumber" -ForegroundColor White
Write-Host "Display Version: $DisplayVersion" -ForegroundColor White
# Check for known vulnerable preview builds (Example logic for remediation check)
# Note: Replace with specific KB article IDs or Build numbers from Microsoft Advisory when available.
# Assuming 25H2 release build is > 26000 with specific hotfix.
if ($BuildNumber -lt 26100) {
Write-Host "WARNING: Build may be vulnerable to Administrator Protection bypasses." -ForegroundColor Red
Write-Host "Action Required: Apply the latest cumulative update for Windows 11 25H2." -ForegroundColor Yellow
} else {
Write-Host "Build is generally updated. Ensure the specific optional update (KBXXXXXXX) is installed." -ForegroundColor Green
}
# Verify Administrator Protection State (Registry Check)
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
# Note: Admin Protection registry keys are specific to implementation, example placeholder:
# $AdminProtState = (Get-ItemProperty $RegPath).AdministratorProtection
# Write-Host "Administrator Protection State: $AdminProtState"
Remediation
To address the vulnerabilities identified in Windows 11 Administrator Protection and ensure your environment is secured against privilege escalation:
- Patch Management: Apply the latest Windows 11 cumulative updates immediately. The nine vulnerabilities discovered during the preview phase have been fixed. Ensure your build version incorporates these fixes.
- Review Optional Updates: If you are running early versions of 25H2, verify that all "optional updates" released prior to general availability (which contained the emergency fixes) have been installed.
- Validate Feature Configuration: Once patched, review the configuration of Administrator Protection. Ensure it is enabled and correctly brokering requests. Do not rely solely on this new feature; run it in conjunction with other controls like Least Privilege access (LPA) and Just-In-Time (JIT) elevation.
- Audit Administrative Accounts: Reduce the number of local administrators. If an attacker cannot access a user with administrative privileges, the impact of a bypass is significantly mitigated.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.