Microsoft issues workaround for new Win10 privilege escalation problem

Microsoft has quickly issued a workaround for Windows 10 systems after the discovery of a serious vulnerability that could allow a successful attacker to increase their access to a compromised computer.

The problem is in Windows’ security account manager (SAM), which stores user accounts and security descriptors for users on a computer.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft said in an advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

According to a news story on Ars Technica, reading the SAM database makes it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows data protection API—which can be used to decrypt private encryption keys—and create an account on the vulnerable machine. The result is that the local user can elevate their privileges all the way to System, the highest level in Windows.

However, the attacker must have the ability to execute code on a victim system to exploit this vulnerability. So far Microsoft has confirmed this issue affects Windows 10 version 1809 and newer versions of the operating systems.

Microsoft said in its advisory that it is continuing to investigate and will provide updates as they become available.

The issue was discovered by researcher Jonas Lykkegaard while working on a problem he found in the upcoming Windows 11. It was considered serious enough that the U.S. Computer Emergency Response Team (CERT) issued a vulnerability notice.

The issue has been given a vulnerability number CVE-2021-36934.


The workaround involves removing existing Windows volume shadow copies and correcting the errant permissions:

Restrict access to the contents of %windir%\system32\config

  1. Open Command Prompt or Windows PowerShell as an administrator.
  2. Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  2. Create a new System Restore point (if desired).

Deleting shadow copies could impact the ability to restore operations, Microsoft warns, including the ability to restore data with third-party backup applications.

It also warns administrators to both restrict access and delete shadow copies to prevent exploitation of this vulnerability.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Pragya Sehgal
Pragya Sehgal
Her characters are bold and smart, but in real life, Pragya is afraid of going upstairs when it is dark behind her. Born and raised in the capital city of India - Delhi - bounded by the Yamuna River on the west, Pragya has climbed the Himalayas, and survived medical professional stream in high school without becoming a patient or a doctor. Pragya now makes her home in Canada with her husband - a digital/online marketing professional who also prepares beautiful, healthy and delicious meals for her. When she isn’t working or writing around tech, she’s probably watching art films on Netflix, or wondering whether she should cut her hair short or not.

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.