Creative UAC Bypass
Methods for the Modern Era

Windows UAC offers four levels, controlled via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:

• Always Notify (max) — every elevation prompts, auto-elevation disabled. Breaks ALL techniques in this course. Rarely deployed because it severely disrupts admin workflows.
• Notify when apps try to make changes (default) — Microsoft-signed apps auto-elevate silently. This is the setting that makes all bypasses in this course viable.
• Notify only (no secure desktop) — same as default but no secure desktop dimming. Slightly weaker.
• Never Notify (off) — UAC completely disabled. No bypass needed — processes can elevate freely.

The COM Elevation Moniker is a special string format that requests an elevated COM object without a UAC prompt, provided the COM class is on the auto-approval list and the caller is running in an appropriate context:

Format: "Elevation:Administrator!new:{CLSID}"

When passed to CoGetObject(), this moniker asks COM to instantiate the class at high integrity. The key requirements:

• The CLSID must be registered in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList
• The calling process must be running in a trusted context — typically explorer.exe or another shell process
• The COM class must be marked as auto-elevated in its registry entry

COM auto-elevation checks the calling process's trust level before granting elevation. Specifically, it verifies the caller is running in an interactive user context via a shell window (explorer.exe or derivative). A standalone attacker process doesn't satisfy this check.

Two approaches used in this course:

• DLL injection into explorer.exe (Bypass #1) — inject the COM activation code into the trusted explorer.exe process. The COM call originates from a trusted context. Simple and reliable.
• PEB Masquerading (Subscriber bonus) — modify our own process's PEB to make it appear as if it's explorer.exe. More elegant, no injection required, but more complex to implement correctly.

Two tools for verifying COM auto-elevation status before writing any code:

Registry check: Look up the CLSID in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList. If it's listed with a value of 1, it's on the auto-approval list.

OleView.exe (from the Windows SDK): Load the COM class → check the Properties panel for "Auto Approval" and "Elevation" flags. OleView also shows all exposed interfaces, which is how the ICMLuaUtil interface and its ShellExec method were identified for Bypass #1.

• OleView path (after SDK install): C:\Program Files (x86)\Windows Kits\10\bin\x64\oleview.exe
• Search by CLSID: Edit → Find → paste the GUID
• Binary Ninja or IDA for analyzing the actual DLL that implements the interface

COM virtual function tables are ordered structures. The C++ compiler lays out vtable entries in declaration order. When you call spLuaUtil->ShellExec(), the compiler emits code that reads the 7th pointer from the vtable. If your stub is out of order, you'll call the wrong function — or crash.

How to determine the order: open cmlua.dll in Binary Ninja or IDA. Navigate to the vtable for ICMLuaUtil. Count the function pointers from the start of the table. AddRef, Release, and QueryInterface (inherited from IUnknown) occupy slots 0–2 in the base class vtable — these are handled automatically by IUnknown inheritance. Your struct's virtual methods start at slot 3 (Method1 in the stub). ShellExec is at slot 9 in the full vtable, which is slot 7 in your struct (after the 3 inherited IUnknown methods).

BIND_OPTS3 is the binding options structure passed to CoGetObject(). The dwClassContext field specifies where the COM server should run. For elevated COM objects, CLSCTX_LOCAL_SERVER is required — it tells COM to use an out-of-process local server (a separate elevated surrogate process), which is how the elevation boundary is crossed.

Using CLSCTX_INPROC_SERVER here would attempt to load the COM class DLL in-process — which can't cross the elevation boundary. The elevation moniker only works with local server context.

• cbStruct must be set to sizeof(BIND_OPTS3) — the API uses this to determine the struct version
• ZeroMemory the struct first to avoid garbage in reserved fields
• The rest of BIND_OPTS3 fields can be zero for this use case

The subscriber version of this technique skips DLL injection entirely. Instead, it modifies the calling process's PEB (Process Environment Block) to make it appear as if the process is explorer.exe — satisfying COM's trusted context check without actually being inside explorer.

Key PEB fields to modify:

• PEB.ProcessParameters.ImagePathName — set to explorer.exe's full path
• PEB.ProcessParameters.CommandLine — set to match explorer.exe's command line

After masquerading, the same CoGetObject elevation moniker call works from the standalone process. The technique is cleaner OPSEC-wise — no remote thread, no WriteProcessMemory, no cross-process handles. Available as C++, Rust, and C# versions at the ko-fi link in the course header.

The DelegateExecute registry value tells Windows Shell to use the (default) value as a command to execute rather than as a COM class identifier. Without it, Windows may try to interpret the default value as a ProgID or CLSID and fail silently.

The value itself is empty — what matters is its presence. Setting it to an empty string via -Value "" is sufficient. The registry key structure that triggers command execution:

• HKCU\software\classes\ms-settings\shell\open\command\(Default) = your payload path
• HKCU\software\classes\ms-settings\shell\open\command\DelegateExecute = "" (empty)

When ComputerDefaults.exe executes the value from the registry, its working directory is C:\Windows\System32. Relative path traversal works from there:

• C:\Windows\System32 — starting point
• ../ — up to C:\Windows
• ../../ — up to C:\ (drive root)
• ../../myfolder/barney.exe — resolves to C:\myfolder\barney.exe

Create your payload folder at the drive root (or one level deep) to keep the path short. Deep folder nesting still works but the relative path gets longer. Avoid folder names matching known malware paths.

The ms-settings URI handler hijack works against any auto-elevating binary that opens an ms-settings URI. Several well-known ones:

• fodhelper.exe — one of the earliest documented targets (2017), heavily signatured
• computerdefaults.exe — still works as of 2025, less signatured than fodhelper
• eventvwr.exe — uses a different registry key path but same mechanism
• sdclt.exe — backup/restore tool, reads from HKCU

When one gets patched or signatured, look for other auto-elevating binaries that read from HKCU paths via ProcMon with a NAME NOT FOUND + HKCU filter. The pattern is consistent — only the binary and the specific key path change.

msdt.exe is not universally auto-elevated — it depends on the diagnostic package XML being loaded. The BluetoothDiagnostic.xml package includes an auto-elevation directive that tells Windows to elevate the process for this specific diagnostic. Without the correct XML, msdt.exe would prompt for UAC consent normally.

The XML file lives at C:\WINDOWS\diagnostics\index\BluetoothDiagnostic.xml and is a legitimate Windows component. We're not modifying it — just using it as the trigger to activate the auto-elevation code path in msdt.exe.

The user %PATH% variable (stored in HKCU\Environment\PATH) is checked during DLL resolution for processes running in the user's session — including auto-elevated processes that originate from user actions. Modifying it requires no elevation.

System PATH (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path) requires admin rights to modify and affects all users. For this bypass, user PATH is sufficient and leaves a smaller footprint.

• User PATH changes take effect immediately for new processes — no logoff required
• Cleanup: remove the folder from PATH and delete the DLL after the payload executes
• The path entry is visible in sysdm.cpl → Environment Variables → User variables — basic forensic artifact to clean up

If you compile BluetoothDiagnosticUtil.dll as x64, the injection fails silently. sdiagnhost.exe is a 32-bit process — it calls LoadLibrary on your DLL, the loader tries to map it into a 32-bit address space, detects the PE architecture mismatch, and returns ERROR_BAD_EXE_FORMAT (193). The process continues normally with no visible error and your code never runs.

In Visual Studio: right-click project → Properties → Configuration Manager → change Active Solution Platform from x64 to x86 or Win32. Verify the output: dumpbin /headers BluetoothDiagnosticUtil.dll | findstr machine should show 14C machine (x86).

Even though SilentCleanup is patched, the discovery methodology is evergreen:

• Open ProcMon → Add filter: Process Name contains dismhost (or your target binary)
• Add filter: Result is NAME NOT FOUND
• Add filter: Path ends with .dll
• Run the auto-elevated binary or trigger the scheduled task
• Look for DLL loads from %TEMP%, %PATH% directories, or the application directory
• For each candidate, verify the directory is user-writable

This pattern was used to find SilentCleanup's target originally, and it will find the next one. Scheduled tasks that auto-elevate are particularly rich targets because they're designed to run elevated without user interaction.

When a process loads a DLL, it may immediately call exported functions from it. If your payload DLL doesn't export those functions, the host process crashes — making the bypass visible and potentially incomplete if your payload needs time to execute.

Export proxy stubs solve this: your DLL exports functions with the same names as the legitimate DLL's exports, but each stub simply returns S_OK or a benign value. The host process gets valid-looking responses and continues normally while your payload executes in the background.

Automation: tools like SharpDllProxy or manual .def files can generate the stub exports from the original DLL's export table. For phantom DLLs (that don't exist), you need to identify the expected exports from documentation or disassembly of the calling binary.

Windows NTFS allows trailing spaces and periods in directory names at the API level, even though Explorer and most UI tools strip them. The folder C:\Windows \ (note the space) is a distinct path from C:\Windows\ and can be created with CreateDirectory using the \\?\ extended path prefix to bypass Win32 path normalization.

Creation: cmd /c mkdir "\\?\C:\Windows \" — the \\?\ prefix bypasses the Win32 subsystem's path normalization, allowing the trailing space.

These folders are notoriously difficult to delete via Explorer — you need to use the same \\?\ prefix: cmd /c rmdir /s /q "\\?\C:\Windows \"

Microsoft's fix was straightforward: normalize the path before comparison in appinfo.dll. The updated code calls GetLongPathName or equivalent normalization APIs to resolve the actual canonical path before checking whether it starts with a trusted prefix. A trailing space directory resolves to a different canonical path than C:\Windows\System32\, failing the check.

The lesson: the vulnerability existed because the check was a simple string prefix comparison without normalization. It's a reminder that path-based security checks need to handle Unicode normalization, junction points, symbolic links, and extended path prefixes correctly — each of these can create apparent matches that don't correspond to the actual filesystem location.

The CMSTPLUA DLL injection technique produces a distinctive artifact chain:

• Sysmon Event 8 (CreateRemoteThread) — source process creating a thread in explorer.exe. Filter: SourceImage != known software updaters AND TargetImage = *explorer.exe
• Sysmon Event 7 (ImageLoaded) — unexpected DLL loaded into explorer.exe from a non-standard path (AppData, Public, Temp)
• Sysmon Event 10 (ProcessAccess) — process opening explorer.exe with PROCESS_ALL_ACCESS
• Security Event 4688 — cmd.exe spawned as high-integrity with parent explorer.exe when no user interaction occurred

Registry-based bypasses are highly detectable via registry monitoring:

• Sysmon Event 12/13 (Registry create/set) — creation of HKCU\Software\Classes\ms-settings\shell\open\command followed by value set
• Sysmon Event 1 — ComputerDefaults.exe spawning an unexpected child process
• Security Event 4688 — elevated child process with ComputerDefaults.exe as creator

Elastic/Sysmon correlation rule: registry write to *\ms-settings\shell\open\command* within 30 seconds of ComputerDefaults.exe execution = high-confidence UAC bypass attempt.

Also applies to the same pattern targeting fodhelper.exe, eventvwr.exe, and sdclt.exe.

• Sysmon Event 7 — sdiagnhost.exe loading a DLL from a user-controlled PATH directory (not System32 or SysWOW64)
• Sysmon Event 1 — cmd.exe spawned by sdiagnhost.exe (unexpected parent)
• User environment PATH modification — adding a new directory to HKCU\Environment\PATH followed shortly by msdt.exe execution is a high-confidence signal

Setting UAC to Always Notify eliminates every technique in this course. Every bypass depends on the auto-elevation mechanism — remove auto-elevation and the attack surface disappears entirely.

Configure via GPO: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode → set to Prompt for credentials on the secure desktop.

Why it's rarely deployed despite being effective:

• Administrators performing frequent privileged operations face constant prompts
• Some enterprise software breaks under Always Notify (poorly written installers expecting silent elevation)
• Organizations deploy Privileged Access Workstations (PAWs) instead — dedicated admin machines running Always Notify that admins use only for privileged tasks

For individual machines (developer laptops, analyst workstations) where the user is technically sophisticated, Always Notify is a reasonable and highly effective hardening measure that costs very little in practice.

Defense-in-depth beyond the UAC setting:

• Audit HKCU\Software\Classes writes — the COM hijack and registry bypass families all write to HKCU. Enable SACL auditing on this key and alert on writes to CLSID paths and ms-settings handler paths.
• Monitor user PATH modifications — writes to HKCU\Environment\PATH are rare in normal usage. Alert on changes, especially those adding directories at the drive root.
• Sysmon with SwiftOnSecurity config — covers CreateRemoteThread, ImageLoaded (filtered), and registry events out of the box.
• Windows Defender ASR rules — the "Block process injections" ASR rule catches some DLL injection variants. Test in audit mode before enforcing.
• Restrict PROCESS_ALL_ACCESS on explorer.exe — advanced: use a kernel callback or EDR rule to alert when non-system processes open explorer.exe with PROCESS_ALL_ACCESS.