Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

If an application runs with elevated privileges and provides a GUI (file browser, help menu, print dialog), you can abuse it to spawn a command prompt as that user.

Identify GUI Apps Running as Admin

tasklist /v | findstr /i "admin"

Get-Process | Where-Object { $_.MainWindowTitle -ne "" } | Select ProcessName, Id, MainWindowTitle
Check with Process Explorer or Task Manager → look for processes running as SYSTEM or Administrator with a visible window.

File Dialog Escape

Many applications have File → Open or File → Save As dialogs.

Steps

  1. Open the elevated application
  2. Navigate to File → Open (or Save As, Print, Help)
  3. In the file dialog address bar, type:
C:\Windows\System32\cmd.exe
  1. Press Enter → cmd.exe opens with the application’s privileges

Alternative Paths

\\127.0.0.1\c$\Windows\System32\cmd.exe
file:///C:/Windows/System32/cmd.exe

Right-click in File Dialog

  1. In file dialog, navigate to C:\Windows\System32
  2. Right-click → Open → select cmd.exe

Help Menu Escape

  1. Open Help → About or press F1
  2. If browser opens → navigate to:
file:///C:/Windows/System32/cmd.exe
  1. Or use address bar to navigate to local files

Paint / Notepad / WordPad

If running elevated:

Notepad

File → Open → type C:\Windows\System32\cmd.exe → Enter
Or open any file, then in the path bar navigate to System32.

Paint

File → Open → navigate to C:\Windows\System32 → change file type to "All Files" → right-click cmd.exe → Open

Internet Explorer / Edge (Legacy)

If browser runs elevated: Address bar: 
file:///C:/Windows/System32/cmd.exe
Or: 
C:\Windows\System32\cmd.exe

CVE-2019-1388 — Certificate Dialog

UAC prompt → “Show more details” → certificate issuer link → opens browser as SYSTEM.

Requirements

  • Windows 7/8/10 (pre-patch)
  • Need a signed executable with a certificate that has a URL in the issuer field

Steps

  1. Run a signed binary (e.g., hhupd.exe)
  2. UAC prompt appears → click “Show more details”
  3. Click “Show information about the publisher’s certificate”
  4. Click the issuer URL link → browser opens as SYSTEM
  5. Save As → navigate to C:\Windows\System32\cmd.exe

Find Suitable Binary

https://github.com/jas502n/CVE-2019-1388

Citrix / RDP Breakout

In restricted Citrix/RDP environments:

Task Manager

Ctrl+Shift+Esc → File → New Task → cmd.exe

Sticky Keys Replacement (Physical/RDP)

If you can replace sethc.exe: 
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
At login screen → press Shift 5 times → SYSTEM shell.

Utilman Replacement

copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
At login screen → click Ease of Access → SYSTEM shell.

Quick Reference

ScenarioTechnique
Elevated app with File dialogNavigate to cmd.exe
Elevated browserfile:///C:/Windows/System32/cmd.exe
UAC prompt (CVE-2019-1388)Certificate issuer link
RDP/Citrix breakoutTask Manager → New Task
Login screen accesssethc.exe / utilman.exe replacement