CompMgmtLauncher.exe UAC Bypass Not Fixed in Windows 10 Build 15007

We saw that the UAC bypass method using Eventvwr.exe is fixed in Windows 10 Creators Update build 15007. But the other identical UAC bypass method using CompMgmtLauncher.exe hasn’t been fixed yet.

CompMgmtLauncher.exe launches compmgmt.msc using ShellExecute, exactly the same way how Eventvwr.exe launches Eventvwr.msc. By creating the same registry key (below) you can run any program as administrator, bypassing the UAC prompt.

HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command

I set the (default) value data to cmd.exe

This time, the target program is launched interactively — this wasn’t the case with eventvwr.exe. In both cases, the target program is started elevated.





compmgmtlauncher uac bypass

Here is a demo PowerShell script to show how this method can be misused.

Hope Microsoft addresses this issue in the upcoming Creators Update.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.

Leave a Comment