UAC Bypass
What is UAC Bypass?
UAC BypassA Windows technique that elevates a medium-integrity process to high integrity without prompting the user, typically by abusing auto-elevating signed binaries.
User Account Control (UAC) splits an administrator session into a filtered medium-integrity token and a full high-integrity token reachable only via consent prompts. UAC bypasses exploit auto-elevating Windows executables that run with high integrity without prompting, such as fodhelper.exe, eventvwr.exe, computerdefaults.exe, sdclt.exe and others. By hijacking specific registry keys (HKCU\Software\Classes\ms-settings\Shell\Open\command or shell\open\command for mscfile) or DLL search paths, an attacker has the trusted process spawn arbitrary code under the high-integrity token. Public catalogs like UACME document dozens of techniques. Hardening: set UAC to always notify, enable Admin Approval Mode for the built-in administrator, use ASR rules, AppLocker/WDAC, and never run as a local admin for daily use.
● Examples
- 01
Setting HKCU\Software\Classes\ms-settings\Shell\Open\command and launching fodhelper.exe to get a high-integrity shell.
- 02
Hijacking a COM handler abused by sdclt.exe to load a malicious DLL with elevated rights.
● Frequently asked questions
What is UAC Bypass?
A Windows technique that elevates a medium-integrity process to high integrity without prompting the user, typically by abusing auto-elevating signed binaries. It belongs to the Attacks & Threats category of cybersecurity.
What does UAC Bypass mean?
A Windows technique that elevates a medium-integrity process to high integrity without prompting the user, typically by abusing auto-elevating signed binaries.
How does UAC Bypass work?
User Account Control (UAC) splits an administrator session into a filtered medium-integrity token and a full high-integrity token reachable only via consent prompts. UAC bypasses exploit auto-elevating Windows executables that run with high integrity without prompting, such as fodhelper.exe, eventvwr.exe, computerdefaults.exe, sdclt.exe and others. By hijacking specific registry keys (HKCU\Software\Classes\ms-settings\Shell\Open\command or shell\open\command for mscfile) or DLL search paths, an attacker has the trusted process spawn arbitrary code under the high-integrity token. Public catalogs like UACME document dozens of techniques. Hardening: set UAC to always notify, enable Admin Approval Mode for the built-in administrator, use ASR rules, AppLocker/WDAC, and never run as a local admin for daily use.
How do you defend against UAC Bypass?
Defences for UAC Bypass typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for UAC Bypass?
Common alternative names include: User Account Control bypass, fodhelper bypass, eventvwr bypass.
● Related terms
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- attacks№ 616
Living off the Land
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.