Rstrui is a signed Microsoft executable, which handles the system restore features. This executable has “autoElevate” property set to true in the manifest which means it will run with high integrity level. While playing around in ProcessMonitor from Sysinternals, I found out that rstrui.exe accepts command line arguments, I focused on the “/RUNONCE” argument.

In these examples, we start a host process (msra.exe) that we steal the UIAccess token from. We downgrade the token IL from Medium+ to Medium. We use the token to spawn a new process (uihack.exe) with the UIAccess flag, we can now send keyboard events to the elevated processes.

Fodhelper is a auto-elevated executable, which is signed by Microsoft. Fodhelper was introduced in Windows 10 (10240) to manage optional features, like keyboard settings.

WSReset is used to reset Windows Store settings. This executable is signed by Microsoft and has “autoElevate” property set to true in the manifest.

This executable is running elevated by default. Since sdclt executable is vulnerable to class hijacking, it can be used to spawn our executable with High IL. We need to hijack the IsolatedCommand value at “HKCU\Software\Classes\exefile\shell\runas\command” with full path to our executable.

This executable is running elevated by default. Since sdclt executable is vulnerable to registry App Path hijacking, it can be used to spawn our executable with High IL. We need to hijack the default value at “HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe” with full path to our executable.

Sdclt is a Microsoft executable file which was introduced in Windows 7 (7600) to allow users to perform backups or restore a backup. This executable is signed by Microsoft and has “autoElevate” property set to true in the manifest. You can verify the manifest using Sigcheck from Sysinternals.