A new vulnerability has been discovered in Windows 10 that allows anyone to gain administrator privileges. The vulnerability is due to a file access issue for some files that are related to the Windows registry. In particular, security researchers have shown that it is possible for anyone to access data stored in the Security Account Manager (SAM) file in Windows 10.
The SAM file stores user credentials for users on a computer, so of course, it should be out of bounds. However, as noted by security researcher Jonas Lykkeggard (via Computer), the SAM file can actually be accessed by anyone. You may not usually notice it because the file is constantly being used by Windows, making it inaccessible to users. But this vulnerability in Windows 10 opens a whole box of worms.
Windows backs up these files when you make a backup of a drive, and these backups are not used. Because they still have the same permissions, any user on the computer can access a supported SAM file and view login credentials for other users. This includes administrators, so you can easily sign in to an account with administrator privileges. You can see an example of a user finding a fragmented NTLM password using this license oversight in the video below. The user can then change the password and use the new password to perform any tasks that require administrator privileges.
This vulnerability apparently appeared with version 1809 of Windows 10 when Microsoft changed the permissions on registry files. While this vulnerability still exists in Windows 10 version 20H2, it seems that this only applies if you have upgraded to this version. According to security analyst Will Dormann, if you clean the installation of Windows 10 version 20H2, the vulnerability does not exist.
This makes this vulnerability somewhat limited in scope. You should have made a shadow copy of your drive in the past so that you have an accessible SAM file and not many people. You must also have your computer for some time without a clean install. Regardless, it is a great oversight that could cause serious problems. Hopefully Microsoft will release a fix for existing machines soon. Just recently, a vulnerability was discovered in the Print Spooler service on Windows, the second in about a month.