Microsoft patched a bevy of bugs that allowed bypasses of Windows Administrator Protection before the feature was made available earlier this month. He added that he likely only found it because he was previously familiar with the OS's "weird behavior when creating the DOS device object directory." Because the kernel creates a DOS device object directory on demand, rather than at login, it cannot check whether the user is an admin during the creation process. Further, due to a separate security mitigation Microsoft implemented to prevent C drive hijacking, the system service launching the process ignores the impersonated token's DOS device object directory. Microsoft fixed this by preventing DOS device object directory creation when impersonating a shadow admin token at the identification level.
