Bad month for Microsoft

After Printnightmare came the Windows Hello zero-day, which allowed a hacker to access any account using PC using a Hello capable camera for authentication (they just needed an infrared image of the user, which could be obtained using any IR camera - E.g. walking past them with the camera, putting a camera in an elevator etc. where the user would pass by). While it would be highly targeted, it is a serious problem.

Now we have Hivenightmare. A bug in a recent(?) Windows update, first noticed in Windows 11 Beta, but also in all versions of Windows 10 in support, allows any user to read key system files, including the SAM password database - passwords are hashed, but there are known workarounds for finding passwords.

There is currently no patch, but you can manually re-apply the correct protection to the files and you will have to manually remove an VSS copies on your system (and generate a new one, if you want to have a recovery point).

Restrict access to the contents of %windir%\system32\config

  1. Open Command Prompt or Windows PowerShell as an administrator.
  2. Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  2. Create a new System Restore point (if desired).

I’ll also post this over at Thurrott…
Edit: Or not, I’ve tried 5 times to post it there, but it just disappears.


I’ve started watching “Curb your enthusiasm” and cannot get the music out of my head. It’s what I hear every time there’s a bad month of security at Microsoft, just after Capossela’s strong statement last Christmas session.

(You were right in your comment back then, but still. :wink: )


Over at Thurrott, people were asking how they can delete the shadow copies.

Vssadmin list shadows

Vssadmin delete shadows /all

The first show which copies exist, the second deletes them. The usual caveats apply, make sure you have system backup, preferably make a new one after deleting the shadow copies.