This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it.
Recently, Jonas tweeted something interesting. What Jonas didn’t realise at the time is Windows 10 also has the same behavior when System Protection aka Shadow Volumes is enabled, which should be the default in a majority of cases.
This is caused by BUILTIN\Users having read access to c:\Windows\System32\config\SAM.
It shouldn’t. That breaks a security barrier, as the SAM is a sensitive registry hive, and BUILTIN\Users include non-administrators.
That folder also has other sensitive registry hives — for example SYSTEM, SECURITY etc — which BUILTIN\Users can access.
This has since become CVE-2021–36934.