Local Windows users can view Registry file with admin password hashes

A vulnerability in Windows makes it possible for local users to request a registry file containing hashes and security tokens from admin users. An incorrectly configured Access control list allows users to access info in the Security Account Manager.

The bug could lead to a local privilege escalation, where attackers could elevate local privileges to admin privileges. The bug was discovered by security researcher Jonas Lykkegaard who was looking at Windows 11. Later it turned out that the bug could also be exploited in Windows 10. The bug has been there for years, but had never been noticed until now.

The vulnerability is in the Security Account Manager. It stores hashes of the passwords of all users on a system. Lykkegaard discovered that in Windows 10 and Windows 11, those files in the Registry are accessible with Read privileges to all users on a system. This is initially prevented because Registry files are in use by the system and therefore cannot be copied, but if Volume Shadow Copies are enabled, this can be circumvented because an attacker can then take a snapshot of the Registry files.

Microsoft has since acknowledged the vulnerability. The company has registered it as CVE-2021-36934. The bug can be exploited on at least Windows 10 1809 and newer versions. From that version, Microsoft changed the permissions for users. There is no patch available yet, but Microsoft does mention a workaround. Admins can disable access to %windir%system32config, and delete existing System Restore save points.