Windows 11 25H2 introduced Administrator Protection, a feature designed to replace User Account Control (UAC) with a more robust privilege escalation mechanism. According to a Google Project Zero write-up, a researcher discovered nine distinct vulnerabilities in the feature during its insider preview phase, each capable of silently granting full administrator privileges to a limited user process.
Why UAC Needed a Replacement
UAC, introduced in Windows Vista, was never designated a hard security boundary. Its core design flaw was that the limited user and the administrator account were the same Windows account, differentiated only by token groups and privileges. This shared identity meant both contexts accessed the same profile directory and registry hive, opening several attack paths.
The situation worsened in Windows 7 when Microsoft introduced auto-elevation, allowing select Microsoft-signed binaries to elevate without showing a prompt. The UACMe project currently catalogs 81 known techniques for bypassing UAC, and silent bypasses affecting the latest Windows 11 builds remain unpatched today.
How Administrator Protection Differs
Administrator Protection draws from a more secure UAC mechanism previously reserved for non-administrator users: over-the-shoulder elevation. That mechanism creates a clean separation between the limited user context and the elevated one. Administrator Protection extends this model by automatically provisioning a shadow administrator account tied to the user, removing the need for shared credentials.
- Profile data is not shared between the limited and elevated contexts, eliminating a key token-theft path.
- The limited user cannot open or impersonate the administrator token.
- Auto-elevation of Microsoft binaries is not supported; all elevation requires an explicit prompt.
- The user authenticates with their own credentials, including biometrics, rather than a separate administrator password.
Vulnerabilities Found and Fixed
The Project Zero researcher found nine separate issues allowing silent bypass of Administrator Protection. All were reported to Microsoft and have been remediated, either before the feature’s public release via optional update KB5067036 or through subsequent security bulletins. The write-up details one of the nine vulnerabilities as a worked example.
Microsoft has separately disabled the Administrator Protection feature as of December 1, 2025 to address an unrelated application compatibility issue. The researcher notes this does not affect the security analysis presented.
Outlook
The research underscores that even a redesigned elevation architecture requires careful implementation review. With all nine reported issues now patched, Administrator Protection is positioned as a genuine security boundary rather than the advisory-only status UAC has carried for years. Whether the feature holds up under further scrutiny from the broader research community remains to be seen once Microsoft re-enables it.
