Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11

Posted on 22/07/202110/04/2023 IT Expert By IT Expert 2 Comments on Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11
  1. Home
  2. Security | Vulnerability Scans and Assessment
  3. Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11
HiveNightmare

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files. Including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data. Or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. Here are some related articles: What is Registry Editor and how to access the registry hives, and how to search through the Windows Registry? Here you will learn the Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11.

SeriousSAM or HiveNightmare Registry Vulnerability

Note: The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features. They should be restricted from being viewed by regular users with no elevated privileges.

This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system which threat actors can use to assume their identity.

Please refer to these exciting guides: Volume Shadow Copies: How to configure VSS on Windows Server, Workaround for Microsoft Support Diagnostic Tool Vulnerability, How to resolve Git for Windows uninstaller is vulnerable to DLL hijacking when run under the SYSTEM user account, how to perform vulnerability scan on Microsoft SQL Server, and how does cached domain logon work?

How to determine if Windows 10 or 11 is affected by SeriousSAM or HiveNightmare” registry vulnerability

To check if your Windows 10 or 11 installation is affected. Please open PowerShell or Command Prompt and enter the following as shown in the image below.

As you can see below, this specific device is currently not vulnerable as the Registry databases are currently not accessible to the ‘Users’ group that has low privileges on a device.

Ensure your devices are correctly patched and test them to see if you are affected.

Screenshot-2021-07-22-at-13.20.48
2021 07 22 at 13.20.48
Screenshot-2021-07-22-at-13.31.08
image 2021 07 22 at 13.31.08
Screenshot-2021-07-22-at-13.47.50
Screenshot 2021 07 22 at 13.47.50

If the output displays the following permission, your Windows installation is affected by the vulnerability.

BUILTIN\Users:(I)(RX)

The SYSTEM and SAM credential database files have been updated to include the Read ACL set for all Users for some versions of Windows. This means that any authenticated user has the capability to extract these cached credentials on the host and use them for offline cracking or Pass-the-hash depending on the environment configuration.

This has only been identified on updated Windows 10 endpoints at this point, however, it is possible Windows Servers have been impacted. The following builds have been identified as impacted so far and you can identify your build by looking at winver in run dialog window (Win + R).

  • 1809 ISO-June21 – 20H2
  • 1909 ISO-June21 – 20H2
  • 20H2 ISO-orig – 21H1
  • 21H1 ISO-June21 – 11 Insider (Windows 11)

Microsoft has recently released a short-term workaround

Microsoft has recently released a short-term (provisional) workaround on 7/21/21 for systems that are vulnerable to the newly found HiveNightmare flaw.

The vulnerability was discovered by Twitter user 'Jonas L' and was seconded by a second user who noticed that the Windows Security Account Manager (SAM) database which contains all important passwords and keys was now apparently accessible by non-admin users. 

This flaw is also referred to as the SeriousSAM or HiveNightmare. As it enables attackers access to SAM, SYSTEM, and SECURITY registry hive files. Below are the recommended restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Step 1 Workaround: Restrict Access to the contents of %windir%\system32\config

Having acknowledged the vulnerability in the new CVE dubbed 'CVE-2021-36934, please perform the following steps to restrict access.

Open Command Prompt or Windows PowerShell as an administrator.

Screenshot-2021-07-22-at-13.18.43
Run this command "icacls %windir%\system32\config\*.* /inheritance:e" as shown below

- Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
Screenshot-2021-07-22-at-12.52.46

Kindly refer to some of the PrintNightMare guides I have written in the past. PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 released: Why are the patches not so effective for the Print Spooler vulnerability? And Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability.

Step 2 – Delete Volume Shadow Copy Service (VSS) shadow copies

Run command: vssadmin list shadows to see if there are shadow points. If there are, delete them with: vssadmin delete shadows /for=c: /Quiet

Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

Screenshot-2021-07-22-at-13.47.34

Create a new System Restore point (if desired).

Impact of workaround 

Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

I hope you found this blog post helpful on the Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11. If you have any questions, please let me know in the comment session.

Rate this post

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Security | Vulnerability Scans and Assessment Tags:Microsoft Windows, RegEdit, Registry Keys, RegistryEditor, vulnerability, Windows 10, Windows 11, Windows Registry

Post navigation

Previous Post: How to install and debug logs with the CMTrace Tool
Next Post: PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attack on AD CS

Related Posts

  • VMware Aria
    VMSA-2022-0026: An arbitrary file read vulnerability in VMware Aria Operations Security | Vulnerability Scans and Assessment
  • Defender Antivirus
    Windows Defender Antivirus Management with Intune Anti-Virus Solution
  • Banner
    Scan Your Code by Integrating SonarCloud into Your GitHub Repository Security | Vulnerability Scans and Assessment
  • Feature image LSA
    How to configure additional LSA Protection Security | Vulnerability Scans and Assessment
  • encryption 04.05.32
    How to Enable BitLocker without Compatible TPM Security | Vulnerability Scans and Assessment
  • SSL on WAMPServer
    Setup VirtualHost with SSL on WAMP Server Linux

More Related Articles

VMware Aria VMSA-2022-0026: An arbitrary file read vulnerability in VMware Aria Operations Security | Vulnerability Scans and Assessment
Defender Antivirus Windows Defender Antivirus Management with Intune Anti-Virus Solution
Banner Scan Your Code by Integrating SonarCloud into Your GitHub Repository Security | Vulnerability Scans and Assessment
Feature image LSA How to configure additional LSA Protection Security | Vulnerability Scans and Assessment
encryption 04.05.32 How to Enable BitLocker without Compatible TPM Security | Vulnerability Scans and Assessment
SSL on WAMPServer Setup VirtualHost with SSL on WAMP Server Linux

Comments (2) on “Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11”

  1. Avatar photo John says:
    03/08/2021 at 4:26 PM

    Thanks for this.

    Log in to Reply
    1. chris Christian says:
      03/08/2021 at 5:02 PM

      You are welcome, John!

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • Trellix Invalid credential
    Fix unable to login to Trellix ePO with Windows authentication Windows Server
  • Featured image 10
    Add a Printer Using an IP Address in Windows 11 Network | Monitoring
  • QueryBitLocker1
    Query Windows BitLocker status remotely Windows
  • ffd
    Unable to bind to LDAP or AD in Pleasant Password Server Password Manager
  • How to create blue screen using the Not my Fault tool from Sysinternals
    How to create blue screen using the Not my Fault tool from Sysinternals Windows
  • Object First OOTBI   Best Storage Repo for Veeam
    Understanding User Roles & Access Control in Object First OOTBI Backup
  • macOS
    How to upgrade macOS Big Sur to macOS Monterey Mac
  • create a Mapped Drive via GPO
    How to create a Mapped Drive via GPO Preferences Windows

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,784 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.