I was referring to the login GUI running with full privileges, meaning any time someone finds an arbitrary code execution vulnerability in the GUI they can get full admin access.
I wasn't referring to using a boot disk to reset a password. As far as I'm concerned that's a feature not a vulnerability, and it's a feature Windows makes unnecessarily hard to access.
The "GUI" is in the kernel (gdi32.ll, user32.dll, comdlg32.dll, etc). What you see at the CTRL+ALT+DEL screen is actually the "SYSTEM" user's desktop.
You are, however, technically correct, but finding arbitrary code execution vulnerabilities in the "GUI" these days is not a trivial task. And if you've done that, you can do anything you want to the system.
As Raymond Chen (Windows API developer) would say "that would involve being on the other side of this airtight hatchway".
The "login GUI" is actually the process that launches user's sessions and then passes control of the screen/input to that session. It has to have "better than" administrator level access to do so (since it has to broker administrator sessions).
Even if you ran the actual GUI as some special user, that GUI would still have to be able to do a bunch of powerful things using SYSTEM level services, so any exploit would be equally as powerful if it went after the SYSTEM login GUI or the login service.
What you're suggesting would be meaningful feel good security with no actual teeth. Attackers would just use the boot disk to alter a different file or process.
I wasn't referring to using a boot disk to reset a password. As far as I'm concerned that's a feature not a vulnerability, and it's a feature Windows makes unnecessarily hard to access.