In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. First, how does this bypass work?
When you’re logged in as administrator, Windows binaries that have the execution level set to “highestavailable” and “autoelevate” property set to “true” in the manifest, automatically start elevated without showing the User Account Control prompt.
Task Manager (Taskmgr.exe) and Eventvwr.exe are two such examples. Have you noticed that the Task Manager runs elevated by default, but shows no UAC prompt when you’re logged in as administrator?
Security researcher Matt Nelson (@enigma0x3 on Twitter) wrote about a UAC bypass or exploit that uses eventvwr.exe. Eventvwr.exe is essentially a launcher program that executes %systemroot%\system32\eventvwr.msc using ShellExecute method.
What that (ShellExecute) means is that the system uses .MSC file association information to launch the appropriate executable that opens MSC files. Since the parent program eventvwr.exe runs elevated by default, the child process runs elevated as well.
UAC bypass using registry hack
When eventvwr.exe (shell)executes eventvwr.msc file, Windows, rather than using file association info under HKEY_LOCAL_MACHINE\Software\Classes\mscfile, queries the branch here:
FYI, HKEY_CLASSES_ROOT is just a merged view that contains keys, subkeys and values from these two locations:
And if identical keys and values exist under both, the ones under HKEY_CURRENT_USER take precedence. So, you can hijack
HKEY_CLASSES_ROOT\mscfile by creating the following key:
A malicious program or script can set the
(default) value data accordingly, so that a PowerShell command/script can be executed with full administrative privileges / high integrity, without even the user knowing.
Thus, by hijacking HKEY_CLASSES_ROOT, eventvwr.exe can be effectively used as a launcher program to execute any program arbitrarily — even download ransomware payload from a remote server and run it using PowerShell.exe, under admin privileges.
This is a very effective UAC bypass method as it requires no dropping of files, DLL injection or anything else. Of course, this UAC exploit works only when you’re logged in as administrator.
This has changed in Creators Update preview build 15007. Thankfully, Microsoft has fixed eventvwr.exe in 15007 — it no longer shellexecutes the MSC file. Instead it creates an MMC.exe process directly — file association is not used.
Thanks to Matt Nelson (@enigma0x3) who discovered this bypass method, and to FireF0X (@hFireF0X) who notified that this issue is resolved in 15007 where eventvwr.exe uses CreateProcess to launch mmc.exe instead of ShellExecute. See also: Microsoft Windows – Fileless UAC Protection Bypass Privilege Escalation
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in Windows — delivering support for Microsoft's consumer products. He has been a Microsoft MVP (2003-2012) who contributes to various Windows support forums.