A vulnerability was found affecting Windows 10 and Windows 11 which allows local elevation privileges of users with low privileges to access sensitive Registry database files.
The Windows Registry is the configuration repository for the Windows OS and contains hashed passwords, user customization, configuration options for applications and system decryption keys.
There are very sensitive database files associated with the Windows Registry, these database files are stored in the path C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.
Since the files contain information about all user accounts on a device and security tokens used by windows features, they should only be viewed by users with elevated privileges especially the Security Account Manager (SAM) file because this file contains the hashed passwords for all users on the device.
It was discovered that the Registry files associated with SAM are accessible to the ‘Users’ group that has low privileges on a device. Due to these low file permissions a malicious user with limited privileges on a device can get the NTLM hashed passwords for all accounts on that device then use those hashes in a pass-the-hash attack to gain elevated privileges.
It can also be noted that this vulnerability not only allows escalation of privileges, but it also leaves a device open to Silver ticket attacks.
To know if your device is affected by this vulnerability, you can run the following command in command prompt:
If the following permission is displayed, then it means that your windows installation is affected by this vulnerability.
To block exploitation of this vulnerability temporarily you need to take the following steps:
1. Restrict access to the contents of %windir%\system32\config:
- Open Command Prompt or Windows PowerShell as an administrator.
Run this command in Command Prompt:
icacls %windir%\system32\config\*.* /inheritance:e
Run this command in Windows Powershell:
icacls $env:windir\system32\config\*.* /inheritance:e
2. Delete Volume Shadow Copy Service (VSS) shadow copies:
- Delete any System Restore points and Shadow volumes that existed prior to restricting access
- Create a new System Restore point (if desired).
For more information on this alert, please follow the URL:
The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.
PDF Download: Vulnerability found affecting Windows 10 &11.pdf
Abrams, Lawrence (2021, July 20). New Windows 10 vulnerability allows anyone to get admin privileges. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/new-windows- 10-vulnerability-allows-anyone-to-get-admin-privileges/
Gatlan, Sergiu. (2021, July 21). Microsoft shares workaround for Windows 10 SeriousSAM vulnerability. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/microsoft- shares-workaround-for-windows-10-serioussam-vulnerability/