{"id":5203,"date":"2017-01-16T21:46:07","date_gmt":"2017-01-16T16:16:07","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=5203"},"modified":"2019-05-12T02:52:19","modified_gmt":"2019-05-12T02:52:19","slug":"microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-creators-update","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/microsoft-fixes-eventvwr-exe-uac-bypass-exploit-windows-10-creators-update\/","title":{"rendered":"Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update"},"content":{"rendered":"<p>In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. First, how does this bypass work?<!--more--><\/p>\n<p>When you&#8217;re logged in as administrator, Windows binaries that have the execution level set to &#8220;highestavailable&#8221; and &#8220;autoelevate&#8221; property set to &#8220;true&#8221; in the manifest, automatically start elevated without showing the User Account Control prompt.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/uac-bypass-2.png\" alt=\"uac bypass exploit eventvwr.exe\" width=\"670\" height=\"410\" class=\"alignnone size-full wp-image-5205\" \/><\/p>\n<p>Task Manager (Taskmgr.exe) and Eventvwr.exe are two such examples. Have you noticed that the Task Manager runs elevated by default, but shows no UAC prompt when you&#8217;re logged in as administrator?<\/p>\n<p>Security researcher Matt Nelson (@enigma0x3 on Twitter) wrote about a <a rel=\"nofollow noopener noreferrer\" href=\"https:\/\/enigma0x3.net\/2016\/08\/15\/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking\/\" target=\"_blank\">UAC bypass or exploit<\/a> that uses eventvwr.exe. Eventvwr.exe is essentially a launcher program that executes %systemroot%\\system32\\eventvwr.msc using ShellExecute method.<\/p>\n<p>What that (ShellExecute) means is that the system uses .MSC file association information to launch the appropriate executable that opens MSC files. Since the parent program eventvwr.exe runs elevated by default, the child process runs elevated as well.<\/p>\n<h2>UAC bypass using registry hack<\/h2>\n<p>When eventvwr.exe (shell)executes eventvwr.msc file, Windows, rather than using file association info under HKEY_LOCAL_MACHINE\\Software\\Classes\\mscfile, queries the branch here:<\/p>\n<pre>HKEY_CLASSES_ROOT\\mscfile<\/pre>\n<p>FYI, HKEY_CLASSES_ROOT is just a merged view that contains keys, subkeys and values from these two locations:<\/p>\n<pre>\r\nHKEY_CURRENT_USER\\Software\\Classes\r\nHKEY_LOCAL_MACHINE\\Software\\Classes\r\n<\/pre>\n<p>And if identical keys and values exist under both, the ones under HKEY_CURRENT_USER take precedence. So, you can hijack <code>HKEY_CLASSES_ROOT\\mscfile<\/code> by creating the following key:<\/p>\n<pre>HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/uac-bypass-0-1.png\" alt=\"uac bypass exploit eventvwr.exe\" width=\"671\" height=\"174\" class=\"alignnone size-full wp-image-5210\" \/><\/p>\n<p>A malicious program or script can set the <code>(default)<\/code> value data accordingly, so that a PowerShell command\/script can be executed with full administrative privileges \/ high integrity, without even the user knowing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/uac-bypass-1.png\" alt=\"uac bypass exploit eventvwr.exe\" width=\"670\" height=\"209\" class=\"alignnone size-full wp-image-5206\" \/><\/p>\n<p>Thus, by hijacking HKEY_CLASSES_ROOT, eventvwr.exe can be effectively used as a launcher program to execute any program arbitrarily &#8212; even download ransomware payload from a remote server and run it using PowerShell.exe, under admin privileges.<\/p>\n<p>This is a very effective UAC bypass method as it requires no dropping of files, DLL injection or anything else. Of course, this UAC exploit works only when you&#8217;re logged in as administrator.<\/p>\n<p><strong>This has changed in Creators Update preview build 15007.<\/strong> Thankfully, Microsoft has fixed eventvwr.exe in 15007 &#8212; it no longer shellexecutes the MSC file. Instead it creates an MMC.exe process directly &#8212; file association is not used.<\/p>\n<p><em>Thanks to <a rel=\"nofollow noopener noreferrer\" href=\"https:\/\/enigma0x3.net\/2016\/08\/15\/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking\/\" target=\"_blank\">Matt Nelson<\/a> (<a href=\"https:\/\/twitter.com\/enigma0x3?lang=en&amp;lang=en\" target=\"_blank\" rel=\"noopener noreferrer\">@enigma0x3<\/a>) who discovered this bypass method, and to FireF0X (<a href=\"https:\/\/twitter.com\/hFireF0X?lang=en\" target=\"_blank\" rel=\"noopener noreferrer\">@hFireF0X<\/a>) who notified that this issue is resolved in 15007 where eventvwr.exe uses CreateProcess to launch mmc.exe instead of ShellExecute<\/em>. See also: <a rel=\"nofollow noopener noreferrer\" href=\"https:\/\/www.exploit-db.com\/exploits\/40268\/\" target=\"_blank\">Microsoft Windows &#8211; Fileless UAC Protection Bypass Privilege Escalation<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. First, how does this bypass work?<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[8],"tags":[441],"class_list":["post-5203","post","type-post","status-publish","format-standard","hentry","category-windows-10","tag-registry"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":335,"url":"https:\/\/www.winhelponline.com\/blog\/run-programs-elevated-without-getting-the-uac-prompt\/","url_meta":{"origin":5203,"position":0},"title":"How to Run Programs as Administrator (Elevated) without UAC Prompt","author":"Ramesh","date":"June 17, 2008","format":false,"excerpt":"Recently, I came across a brilliant tip on how to run programs elevated without getting the User Account Control (UAC) prompt. This can be done without turning off the UAC and hence it does not compromise system security. How to Run Programs elevated without UAC Prompt You can run apps\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/archived2\/myapps-sched.gif?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":9110,"url":"https:\/\/www.winhelponline.com\/blog\/uac-asks-password-even-logged-administrator\/","url_meta":{"origin":5203,"position":1},"title":"[Fix] UAC asks for password even if logged in as administrator","author":"Ramesh","date":"May 7, 2019","format":false,"excerpt":"Is the UAC dialog asking for the password during elevation even though you're logged in to an administrator account? For non-admin accounts, the UAC elevation asks for admin credentials, but for administrator accounts, the UAC dialog should just ask for consent, not password, when launching non-Windows executables in elevated mode.\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"UAC asks for password even if logged in as an administrator","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/05\/uac-asks-password-admin-2.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":277,"url":"https:\/\/www.winhelponline.com\/blog\/mapped-drives-not-seen-elevated-command-prompt-task-scheduler\/","url_meta":{"origin":5203,"position":2},"title":"Mapped drives not seen from elevated Command Prompt and Task Scheduler","author":"Ramesh","date":"May 12, 2008","format":false,"excerpt":"When you attempt to access a mapped network drive from an elevated or admin Command Prompt or Task Scheduler (with the highest privileges), the mapped drive won't be available. Attempting to use the mapped network drives causes the error The system cannot find the path specified (Error code: 0x80070003). Here\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"mapped network drive not seen from admin command prompt and task scheduler","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/05\/mapped-drives-enablelinkedconnections.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/05\/mapped-drives-enablelinkedconnections.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2008\/05\/mapped-drives-enablelinkedconnections.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":32015,"url":"https:\/\/www.winhelponline.com\/blog\/make-uac-ask-password-admins\/","url_meta":{"origin":5203,"position":3},"title":"How to Make UAC Always ask for Password on Admin Accounts","author":"Ramesh","date":"January 17, 2023","format":false,"excerpt":"When you're login to an admin account and initiate an action that requires administrative rights (elevation of privilege), the UAC will ask for consent (instead of the username and password.) You select either Yes (\"Permit\") or No (\"Deny\") in the consent dialog. This operation will happen on the secure desktop.\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"UAC asks for password even if logged in as an administrator","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/05\/uac-asks-password-admin-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/05\/uac-asks-password-admin-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/05\/uac-asks-password-admin-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/05\/uac-asks-password-admin-1.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":6033,"url":"https:\/\/www.winhelponline.com\/blog\/fix-yes-button-uac-dialog-grayed-disabled-user-account-control\/","url_meta":{"origin":5203,"position":4},"title":"[Fix] UAC Yes Button is Missing or Grayed Out","author":"Ramesh","date":"December 12, 2017","format":false,"excerpt":"Some users are facing a weird problem wherein the \"Yes\" button in User Account Control (UAC) dialog is disabled or grayed out. As a result, you'll be unable to launch any program under elevated privileges (run as administrator). Cause This problem can occur if your user account group membership is\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/12\/regain-admin-rights-7.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/12\/regain-admin-rights-7.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/12\/regain-admin-rights-7.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/12\/regain-admin-rights-7.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":985,"url":"https:\/\/www.winhelponline.com\/blog\/add-uac-shield-icon-right-click-context-menu-windows-7\/","url_meta":{"origin":5203,"position":5},"title":"How to Add UAC Shield Icon for a Right-Click Menu Item in Windows","author":"Ramesh","date":"January 26, 2010","format":false,"excerpt":"Most users customize the right-click menu by adding additional verbs in the registry in order to launch programs or scripts. Windows 7 (and higher) lets you add the UAC Shield icon for static context menu items. If a verb you add to the right-click menu launches a program which runs\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/5203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=5203"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/5203\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=5203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=5203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=5203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}