A new vulnerability has been discovered in Windows 10 that allows anyone to get administrator privileges. The vulnerability is owed to an issue with file access permissions for some files associated with the Windows registry.
The SAM file stores user credentials for the users on a computer, should be off limit from outside world. But the SAM file actually can be accessed by anyone. You might not usually notice that because the file is constantly in use by Windows, which makes it inaccessible to users. But these vulnerability in Windows 10 opens a whole can of worms.
Windows backs up these files when creating Shadow Copies of a drive, and these backed-up files aren’t in use. Because they still have the same permissions, any user on the computer can access a backed SAM file and see the login credentials for other users. That includes administrators, so you can easily log into an account that has administrator privileges.The user can then change the password and use the new password to perform any tasks that require administrator privileges.
This vulnerability was apparently introduced with Windows 10 version 1809, when Microsoft changed the permissions on registry files. While this vulnerability is still present in Windows 10 version 20H2, it seems like that’s only the case if you’ve upgraded to this version. If Windows 20H2 is clean installed then this doesn’t persists
That does make this vulnerability somewhat limited in scope. You’ll need to have a Shadow Copy of your drive created in the past so you have an accessible SAM file. You also had your PC for some time without a clean install. Regardless, it’s a major oversight that could cause serious problems. Hopefully, Microsoft will issue a fix that applies to existing machines sometime soon.