Windows Out-of-Box-Experience (OOBE) Flaw Enables Full Administrative Command Prompt Access
- November 19, 2025
- Posted by: Chernor Jalloh
- Categories:
THREAT SUMMARY
A newly discovered security flaw in Microsoft Windows’ Out-of-Box-Experience (OOBE) process allows users to bypass existing restrictions and obtain full administrative command prompt access during initial system setup. This bypass works even when Microsoft’s standard mitigation against the well-known Shift+F10 method is enabled, posing risks of unauthorized system changes and persistent compromise, particularly in
corporate-managed devices.
TECHNICAL DETAILS
• Traditional Risk
The Shift+F10 shortcut in OOBE historically allowed access to an elevated command prompt. Microsoft’s mitigation involves creating an empty file
named DisableCMDRequest.tag in C:\Windows\Setup\Scripts\ to disable this function.
• New Exploitation Method
1. Launch an accessibility tool such as Magnifier (Magnify.exe) to take window focus.
2. Press Windows+R to open the Run dialog (runs hidden in the background).
3. Use Alt+Tab to bring the Run dialog into focus.
4. Type cmd.exe and press Ctrl+Shift+Enter to trigger a UAC elevation prompt.
5. Accept the prompt to gain an elevated administrative shell under the defaultuser0 account.
• Why It Works
The defaultuser0 account is part of the local Administrators group during OOBE by design, allowing high-privilege execution.
IMPACT
o Creation of hidden administrator accounts.
o System configuration changes and security control disablement.
o Installation of persistent malware or remote access tools.
MICROSOFT POSITION
Microsoft has classified this as a “won’t-fix” issue, noting that OOBE operates in an administrative session by design. They equate leaving a system unattended during OOBE to leaving a device unlocked.
AFFECTED PLATFORMS
• All supported Windows versions with OOBE functionality.
• Devices accessible to untrusted users during setup.
MITIGATION STEPS
For Organizations using Microsoft Intune:
1. Navigate to Microsoft Intune Admin Center → Tenant administration → Customization.
2. Enable “Hide reset button on corporate Windows devices” to prevent push-button resets that could be exploited.
GENERAL RECOMMENDATION
• Do not leave devices unattended during OOBE setup.
• Implement physical security controls for devices in provisioning state.
• If feasible, complete OOBE in a secure environment before deployment.
• Restrict access to recovery/reset functions for corporate endpoints.
REFERENCE
• Microsoft Intune Admin Center Documentation
• SL-CSIRT