AskVG

[Security Alert] Immediately Protect “Config” Directory in Windows 10 and Windows 11

- Last updated on by

If you are using Windows 10 or any recently released Windows 11 Insider Preview build in your computer system, here is a very important information for you.

A high security vulnerability or flaw has been discovered in both these operating systems which might allow an attacker to install software programs as well as view, change or delete user data. Attacker can also create new user accounts with full user rights with the help of this vulnerability.

It happens because starting with Windows 10 version 1809, non-administrative users are granted read access to files in the %windir%\system32\config directory. This directory contains highly important system files such as DEFAULT, SAM, SECURITY, SYSTEM, etc which store sensitive user data such as encrypted passwords, registry keys, settings, etc.

Advertisement

Windows_System32_Config_Folder_HiveNightmare_SeriousSAM_Vulnerability.png

Microsoft has assigned CVE-2021-36934 name to this vulnerability but publicly this vulnerability has become famous with the names HiveNightmare and SeriousSAM.

Affected Windows versions:

  • Windows 10 version 1809
  • Windows 10 version 1909
  • Windows 10 version 2004
  • Windows 10 version 20H2
  • Windows 10 version 21H1
  • Windows Server 2019
  • Windows Server version 2004
  • Windows Server version 20H2
  • Windows 11 preview builds

Vulnerability Effects:

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

How to Check if You are Affected?

Open Command Prompt as Administrator and run following command:

icacls %windir%\system32\config\sam

Checking_Windows_System32_Config_SAM_File_Permissions.png

If the command displays “Successfully processed 1 files; Failed processing 0 files” in result along with “BUILTIN\Users” mentioned in file permission information, it means your system is vulnerable.

Advertisement

If the command displays “Access is denied. Successfully processed 0 files; Failed processing 1 files” in result or you don’t see “BUILTIN\Users” mentioned in file permission information, your system is not vulnerable.

Workaround or Fix:

Microsoft provides following workaround to prevent or protect this vulnerability until a security update is released to affected Windows versions:

STEP 1:

First of all restrict access to the contents of %windir%\system32\config directory using any of following methods:

Open Command Prompt as Administrator and run following command:

icacls %windir%\system32\config\*.* /inheritance:e

Protecting_Windows_System32__Config_SAM_File_HiveNightmare_SeriousSAM_Vulnerability.png

OR

Open PowerShell as Administrator and run following command:

icacls $env:windir\system32\config\*.* /inheritance:e

STEP 2:

Now delete Volume Shadow Copy Service (VSS) shadow copies using following steps:

Again open Command Prompt or PowerShell as Administrator and run following command:

vssadmin list shadows

Check_Delete_Volume_Shadow_Copy_Service_VSS_Shadow_Copies_Windows.png

If shadow copies are present in your device, run following command to delete them:

vssadmin delete shadows /for=c: /Quiet

It’ll remove all existing shadow copies.

Currently Microsoft is working on an update which will be released very soon to protect from this vulnerability.

Thanks to CERT for providing methods to check and fix the vulnerability.

Also Check:

[Security Alert] Immediately Disable Printer Spooler Service in Windows

Published in: Windows 10, Windows 11

About the author: Vishal Gupta (also known as VG) has been awarded with Microsoft MVP (Most Valuable Professional) award. He holds Masters degree in Computer Applications (MCA). He has written several tech articles for popular newspapers and magazines and has also appeared in tech shows on various TV channels.

You are here: Home » Windows 10 » [Security Alert] Immediately Protect “Config” Directory in Windows 10 and Windows 11

Comments

NOTE: Older comments have been removed to reduce database overhead.

  1. Followed the steps twice and all looked good. Then you once more run
    icacls %windir%\system32\config\sam
    and get the same “Successfully processed 1 files; Failed processing 0 files”

  3. If the command displays “Successfully processed 1 files; Failed processing 0 files” in result along with “BUILTIN\Administrators” mentioned in file permission information, Is it means my system vulnerable?

  4. What do you do next if having entered the

    vssadmin delete shadows /for=c: /Quiet

    command line you get an “Access is Denied” response ?

  5. Hi,
    I followed all the steps provided and ran them twice and I still received the BUILTIN/Administrators: (I) (F) line in the result. It does not seem to protect the files as promised.

  6. I got this message with this command
    vssadmin list shadows

    Error: Unexpected Error: The service could not be started. The service is disabled or is not associated with any active device.

  7. @Yash and @John Molenaar
    No. If “BUILTIN\Users” is present in result, then your system is vulnerable.

    @David Court and @Gianvito
    Open Command Prompt as Administrator.

  8. I ran it as as Admin and got: 69 files processed and 0. Does that mean that I have cured the potential problem? Am I going to have problems with the “69 files processed”?

  10. Does anyone know how to put these two commands into a powershell script?

    Thanks in advance,
    Rick

Leave a Comment

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear immediately. It'll become visible once we approve it.