Bypassing Administrator Protection by Abusing UI Access

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2026/02/windows-administrator-protection.html
• Blog Title: Bypassing Administrator Protection by Abusing UI Access
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (add/extend a subsection around UAC/Admin Protection bypasses via UIAccess, RAiLaunchAdminProcess/AppInfo, and secure-directory/path validation bypass techniques; cross-reference with Integrity Levels/UIPI and DLL injection via Windows hooks)

🎯 Content Summary

Title / scope
Google Project Zero analyzes why Windows' new Administrator Protection (Admin Protection) was bypassable via long-standing design/implementation problems around UIAccess. The author found 9 Admin Protection bypasses total; this post explains the root cause behind 5 of the 9. All are now fixed.

1) Background: Shatter attacks → UIPI (why UI isolation exists)
Before Windows Vista, any process on the interactive desktop could c...

🔧 Technical Details

UIAccess → silent High-IL foothold trick: if you can satisfy (or bypass) UIAccess gating (manifest uiAccess="true", trusted code signature, and “secure directory” placement), you can use RAiLaunchAdminProcess to spawn a UIAccess process without a UAC prompt. The service copies the caller token, enables UIAccess, and often elevates integrity to High (limited user of an admin → High; normal user → IL+16 up to High). Once you have a High-IL process on the same desktop, you can compromise other High-IL processes using same-IL UI primitives; in particular, windows hooks can be used to inject a DLL into any process with a window (including message-only windows used by COM), breaking the intended Admin Protection boundary.

Secure-directory validation bypass pattern: the UAC service validates paths via AiCheckSecureApplicationDirectory (appinfo.dll) by opening the provided RPC path, resolving it with GetFin...

🤖 Agent Actions

Summary:

• Added a dedicated page on Admin Protection/UIAccess abuse covering silent High-IL spawning via RAiLaunchAdminProcess, token shaping, UIPI/window-hook injection impacts, AppInfo secure-directory validation weaknesses (named streams, writable roots, WindowsApps/MSIX), and discovery workflow with PowerShell access checks.
• Linked the new UIAccess/Admin Protection bypass content from the Windows Local Privilege Escalation index under Windows Security Controls.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 945
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2026/02/windows-administrator-protection.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (add/extend a subsection around UAC/Admin Protection bypasses via UIAccess, RAiLaunchAdminProcess/AppInfo, and secure-directory/path validation bypass techniques; cross-reference with Integrity Levels/UIPI and DLL injection via Windows hooks)".

Repository Maintenance:

• MD Files Formatting: 945 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0