What you need to know
- Microsoft acknowledges an admin privileges vulnerability in a new security advisory.
- The vulnerability affects PCs running Windows 11 or Windows 10.
- If exploited, the vulnerability could allow people with low privileges to access Registry files.
Windows 11 and Windows 10 PCs have a vulnerability that allows users with low privileges to access Registry files. We reported on the issue in depth on July 20, 2021, but Microsoft has since acknowledged the issue (opens in new tab) in a security advisory.
"We are investigating and will take appropriate action as needed to help keep customers protected," said Microsoft in a statement to BleepingComputer.
The Windows Registry stores several types of secure information, including passwords and decryption keys. As a result, Registry files are only supposed to be accessible to users with elevated privileges. The vulnerability affects PCs running Windows 11 or Windows 10.
Security researcher Jonas Lykkegaard flagged the vulnerability to BleepingComputer. Lykkegaard discovered that Registry files associated with the Security Account Manager and other Registry databases could be accessed by anyone in the "Users" group of a device that has low privileges.
There's a chance that this vulnerability is related to the Windows Update process. It's been confirmed that the issue affects a fully patched Windows 10 20H2 build. It's also been noted that it is not present in PCs with a clean installation of Windows 20H2.
Microsoft shared a workaround for the vulnerability in its security advisory:
Restrict access to the contents of %windir%\system32\config
- Open Command Prompt or Windows PowerShell as an administrator.
- Run this command: icacls %windir%\system32\config*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
While security issues aren't rare, several notable vulnerabilities have caused problems with Windows recently. The Print Spooler saga started at the beginning of this month and continues to be a problem.
Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org.
Not to be that guy, but this is not two workarounds but one with two parts; both are required. Their last line is "Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability."
For 99.9999% of users, they should just wait until Microsoft rolls out a fix. Access to these files requires malware to be on your PC already and you have bigger problems if that's the case.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.