Bypassing Administrator Protection by Abusing UI Access

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed. In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that’s been under-appreciated, and how it’s being fixed now. A Question of Accessibility Prior to Windows Vista any process running on a user’s desktop could control any window created by another, such as by sending window messages. This behavior could be abused if a privileged user, such as SYSTEM, displayed a user interface on the desktop. A limited user could control the UI and potentially elevate privileges. This was referred to as a Shatter Attack, and was usually fixed by removing user interface components from privileged code.

The article describes multiple privilege escalation bypasses against Windows 11's Administrator Protection, focusing on how long‑standing weaknesses in the UI Access model and cross‑process window control allowed lower-privileged processes to manipulate higher-privileged UI flows (classic 'shatter attack' style behavior) until Microsoft patched them.[5] It explains that UI interactions, accessibility features, and automation channels formed an under‑appreciated boundary that could be abused to defeat UAC/Administrator protections before being re‑architected and fixed. From a CyberSE.AI perspective, any AI agent or automation using desktop/UI automation, accessibility APIs, or running with elevated tokens on Windows could be coerced by a lower-privileged process to click, approve, or execute privileged actions, effectively becoming a privilege-escalation helper. Organizations should apply these lessons by hardening AI agent interaction models (e.g., separating privileged and unprivileged UI contexts), auditing agent business logic for unsafe UI-driven elevation paths, and subjecting Windows-based AI agents to continuous red teaming that specifically targets UI automation and accessi