Windows Administrator Protection

Author: Michael J. Leaver, 2BrightSparks Pte. Ltd.

Microsoft is introducing a new security feature in Windows 11 called Administrator Protection. It’s designed to make your computer more secure by adding an extra layer of protection for administrator accounts. At time of writing it is not yet available in Windows 11, but is likely to be introduced in the second half of 2025.

Many people are familiar with User Account Control (UAC) — the pop-up that appears when you try to install software or change system settings. UAC asks for permission before making changes, but it still allows the same administrator account to run the action.

Administrator Protection goes further. Instead of using your main administrator account directly, it creates a separate, hidden administrator account (called a "shadow" or "virtual" administrator account) to handle elevated tasks.

How Does It Work?

The simple explanation of how it works is:

1. When you run a program that needs administrator access, Windows doesn’t give it full access to your main account.
2. Instead, Windows uses a hidden administrator account to run the program securely.
3. This prevents malware or malicious software from easily taking full control of your computer, even if it tricks you into running it.

A more technical explanation is:

1. When a process requires administrative privileges, Windows does not grant elevation directly to the user’s primary account.
2. Instead, a separate virtual administrator account is instantiated in the background, and the elevated process runs under this account.
3. This limits the exposure of the user’s actual credentials and reduces the risk of privilege escalation attacks.

Why Is This Important?

In simple terms:

• Better security: Even if a harmful program tries to exploit admin privileges, it won't gain full control of your real account.
• Less risk of accidental system damage: Since your main account doesn't run elevated tasks directly, mistakes (like deleting system files) are harder to make.
• Stronger protection against hackers: Malware and cyberattacks often rely on admin access — this new system makes it much harder for them to succeed.

Essentially, Administrator Protection is like having a security guard that steps in whenever admin-level actions are needed, instead of letting you directly handle sensitive tasks.

More technically:

• Mitigates credential theft: Since the primary account never directly runs elevated processes, credential-stealing attacks (such as token theft or pass-the-hash attacks) are significantly harder to execute.
• Reduces privilege escalation risk: Malware that successfully bypasses UAC would still need to break out of the isolated virtual admin environment.
• Prevents persistent system compromise: Since the shadow admin account is temporary and not directly accessible, attackers have fewer opportunities to establish persistence.

This feature enhances Windows security by fundamentally changing how administrative privileges are handled, making it much harder for malicious actors to abuse elevated access.

Administrator Protection in Windows 11 is designed to mitigate privilege escalation attacks by isolating elevated processes within a shadow (virtual) administrator account. This change aligns with other modern security features, such as LSASS protections and Windows Defender Credential Guard, to further harden the operating system against credential theft and malware persistence.

The Local Security Authority Subsystem Service (LSASS) is responsible for handling authentication in Windows, and it has been a common target for attackers using techniques like credential dumping (e.g. Mimikatz).

Key Differences from UAC

UAC prompts users before allowing elevated actions, but it does not isolate elevated processes from the primary user account. In contrast, Administrator Protection introduces a shadow (or virtual) administrator account, which is used exclusively for running elevated processes.

With Administrator Protection:

• Elevated processes no longer run under the primary user’s security context, reducing the attack surface for tools that attempt to extract credentials from memory.
• Since the shadow admin account is ephemeral and not accessible to the user, even if an attacker compromises an elevated process, they cannot extract reusable credentials tied to the actual user.
• This works alongside LSASS protection, which prevents unauthorized access to its memory space by restricting handle access to non-system processes.

Impact on SyncBack

If you are using SyncBackFree, or are using SyncBackPro or SyncBackSE without elevation (i.e. you are not running it elevated using a Windows administrator account) then this change will have no impact on you.

However, if you are running SyncBackPro or SyncBackSE elevated, and Administrator Protection is enabled in Windows, then there are some potential serious issues:

1. When you run SyncBackPro/SE elevated, it will not run under your user account. This means, by default, it will not have access to your settings or profiles. By default, SyncBack stores profiles and settings in the users application data folder, as it should, i.e. settings and profiles are user specific and not global. As you will not be running SyncBack using your account (Windows will use the shadow/virtual admin account), it will not find your settings or profiles.
2. If you schedule a profile then it will be scheduled using the shadow/virtual admin account. Existing schedules are not affected. The existing schedules will still run using your account.
3. If you run a profile then it will run using the shadow/virtual admin account. This can have serious consequences. For example, if your profile is copying from your documents folder, and you are using variables, then it is not going to be your documents folder, but the folder of the shadow/virtual admin, which is likely to be empty. This could be disastrous, e.g. if you are synchronizing.
4. If you run a profile then it will run using the shadow/virtual admin account, which means all the variables and registry settings are for that account and not your account. If you are using variables in a profile then they will have the values of the shadow/virtual admin account and not your account.
5. Enabling Administrator Protection in Windows stops some functionality from working, e.g. starting SyncBack elevated on login no longer works.

Solutions for SyncBackPro/SE V11

At time of writing, Administrator Protection has not yet been made available in Windows 11. However, SyncBackPro/SE V11 is being updated.

Solutions for older versions of SyncBackPro/SE

If you are using SyncBackPro/SE V10 and older (which are no longer supported) there are ways to avoid the impact of Administrator Protection:

1. If possible, disable Administrator Protection in Windows. This resolves all the possible issues.
2. Alternatively, do not run SyncBackPro/SE elevated. This will have an impact on functionality. One way to not run elevated is to simply use a standard user account in Windows and not an Administrator account. If that is not possible, and you are using SyncBack V10, then use the Not Elevated SyncBack executable and not the standard elevated one.
3. If you are using SyncBack V9, or older, to not run elevated (if you are using a Windows Administrator account) you will need to change the manifest file that SyncBack uses. A manifest file tells Windows how SyncBack should be run. First, close SyncBack if it is running. Next, as a Windows Administrator user using Windows File Explorer, navigate to the directory SyncBack is installed into, e.g. C:\Program Files\2BrightSparks\SyncBackPro. You will see files called "SyncBackPro.exe.manifest" and "SyncBackPro.exe.manifest.nonadmin". Rename "SyncBackPro.exe.manifest" to "SyncBackPro.exe.manifest.admin" (i.e. add ".admin" to the end of the filename) and then rename "SyncBackPro.exe.manifest.nonadmin" to "SyncBackPro.exe.manifest" (i.e. removed ".nonadmin" from the end of the filename). When you start SyncBackPro it will now not run elevated.