A new method has been identified to exploit Windows Out-of-Box-Experience (OOBE) that bypasses existing protections and grants administrative command line access to Windows machines.
This technique works even when Microsoft’s recommended security measure, the DisableCMDRequest.tag file, is implemented to block the well-known Shift + F10 keyboard shortcut vulnerability.
The discovery highlights persistent security gaps in Windows’ initial setup process that could allow unauthorized users to gain elevated privileges and create backdoor accounts on corporate devices.
Key Takeaways
1. New Win + R exploit bypasses Windows OOBE security protections.
2. Grants full Administrator access via defaultuser0 account during setup.
3. Microsoft won't fix; only mitigation is hiding Intune reset buttons.
Win + R OOBE Bypass
Kanbach reports that the method leverages the Win + R keyboard combination to spawn a hidden Run dialogue during the OOBE process, circumventing traditional security controls.
Unlike the widely documented Shift + F10 technique, this approach requires a specific sequence of actions to execute successfully.
The exploitation process begins by opening an accessibility tool such as Magnify.exe to establish proper window focus.
Once the Magnify window is active, pressing Win + R launches the Run dialogue, though it remains hidden in the background.
Users can reveal its presence by using Alt + Tab to cycle through available windows. The critical vulnerability lies in the fact that this dialogue operates under the context of defaultuser0, a temporary administrative account that Windows creates during OOBE with full local Administrator group privileges.
To escalate privileges further, attackers can type cmd.exe into the Run dialogue and press Ctrl + Shift + Enter to trigger User Account Control (UAC) consent elevation.
When the UAC prompt appears and is accepted, an elevated command prompt opens with administrative privileges, enabling attackers to execute arbitrary system modifications, create backdoor accounts, or alter security configurations.
Microsoft’s Response
This OOBE breakout method poses significant security risks, particularly in enterprise environments where users can initiate device resets through Microsoft Intune Company Portal.
The vulnerability allows low-privileged domain users to effectively gain local administrative access by simply performing a push-button reset and exploiting the OOBE interface.
Microsoft has declined to address this security issue, stating that OOBE inherently runs in an administrative session and that leaving devices unattended during setup is equivalent to leaving machines unlocked.
The company’s position treats this as an operational security concern rather than a software vulnerability requiring patching.
The primary mitigation strategy involves preventing users from accessing OOBE entirely by hiding the reset button in the Microsoft Intune admin center under Tenant administration > Customization.
Administrators should enable the Hide reset button on corporate Windows devices setting to prevent unauthorized device resets.
However, this represents an incomplete solution that addresses symptoms rather than the underlying architectural security weakness in Windows’ setup process.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link