Once again, there’s yet another Windows vulnerability bug plaguing your systems. Rogue users and malware could take advantage of this new vulnerability (HiveNightmare) to gain admin-level powers. Previously, similar Windows security threats were also found, such as PrintNightmare, Windows Hello, and printer vulnerability. You can check out their respective guides to learn how to fix windows vulnerability to these bugs.
This recent bug is due to a change in Windows that lets even unprivileged users read the Security Account Manager (SAM), SYSTEM, and SECURITY files in the Windows Registry.
An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. The attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. One must have the ability to execute code on a victim’s system to exploit this Windows vulnerability bug.
This flaw can be used to access shadow copies of your system that gets backed up every time it installs a system update (usually every month). This can allow malware that got inside your PC through a Phishing link, third-party software, or external link to have a chance to crack user passwords and gain full access to your device. Stopping this might prove somewhat difficult without an antivirus. Fortunately, there are some workarounds provided by Microsoft to fix windows until a proper patch is deployed.
How to check if your device is vulnerable to HiveNightmare?
1. Run the Windows command prompt as administrator to type the following and press enter.
icacls c:\windows\system32\config\samIf you get the following response, then your device might be vulnerable.
BUILTIN\Users:(I)(RX)2. To check if your system has shadow copies, type the following in the command prompt.
vssadmin list shadows3. If you have a shadow copy, then you might get a response like this.
Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
Contained 1 shadow copies at creation time: 7/19/2021 9:30:13 AM
Shadow Copy ID: {5b5d02a8-44e9-420e-9ec9-a585cd991ed8}
Original Volume: (C:)\\?\Volume{b7f4115b-4242-4e13-84c0-869524965718}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Originating Machine: DESKTOP-CHOLLIMA
Service Machine: DESKTOP-CHOLLIMA
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recoveredThis is what you might get if you don’t have one.
No items found that satisfy the query.How to fix Windows security threat (HiveNightmare)?
Restrict access to the contents of %windir%\system32\config
You must restrict access and delete shadow copies to prevent exploitation of this vulnerability. Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
1. Open Command Prompt or Windows PowerShell as an administrator.
2. Run these commands:
icacls %windir%\system32\config\sam /remove "Users"
icacls %windir%\system32\config\security /remove "Users"
icacls %windir%\system32\config\system /remove "Users"3. Type in the next command to delete Volume Shadow Copy Service (VSS) shadow copies. Continue on other drives by changing the letter c:
vssadmin delete shadows /for=c: /Quiet
vssadmin delete shadows /for=d: /Quiet
vssadmin delete shadows /for=e: /Quiet
4. To confirm VSS shadow copies are deleted, type in the following command.
vssadmin list shadowsYou should get a response like this.
No items found that satisfy the query.5. Reboot your device
6. Type “create” into the search bar. Select “Create a restore point” and click the “Create” button in the pop-up windows that appear.
