Bypassing UAC on Windows 1. Disk Cleanup. Matt Graeber mattifestation and I recently dug into Windows 1. User Account Control if you arent familiar with UAC you can read more about it here. Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFile. Operation COM object or WUSA extraction to take advantage of a DLL hijack. You can dig into some of the public bypasses here by hfiref. The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file copy or any code injection. A common technique used to investigate loading behavior on Windows is to use Sys. Internals Process Monitor to analyze how a process behaves when executed. After investigating some default Scheduled Tasks that exist on Windows 1. Silent. Cleanup is configured on stock Windows 1. Pokemon Light Platinum Gba S. To find this, we simply went through each task and inspected the security options for Run with Highest Privileges to be checked with a non elevated User Account such as Users. Free-up-Hard-Disk-Space-on-Windows-Vista-Step-6-Version-2.jpg/aid225582-v4-728px-Free-up-Hard-Disk-Space-on-Windows-Vista-Step-6-Version-2.jpg' alt='Disk Cleanup Windows 7 Setup Log Files' title='Disk Cleanup Windows 7 Setup Log Files' />Taking a closer look with procmon, we found that the actual process started by the scheduled task, cleanmgr. How Can I Make My Own Computer Program. Lets dive in a bit more. When cleanmgr. exe executes, it creates a new folder with the name of a GUID in C Userslt username App. DataLocalTemp. Once cleanmgr. DLLs along with dismhost. After copying Dism. Host. exe and its DLLs to C Userslt username App. Windows 7 Forums is the largest help and support community, providing friendly help and advice for Microsoft Windows 7 Computers such as Dell, HP, Acer, Asus or a. Heres everything you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys. Disk Cleanup Windows 7 Setup Log Files' title='Disk Cleanup Windows 7 Setup Log Files' />DataTemplt guid, cleanmgr. Since dismhost. exe launches out of C Userslt username App. DataLocalTemplt guid, it begins to load DLLs out of the same folder in a certain order Because the  current medium integrity process has write access to the users TEMP directory, it is possible to hijack a DLL loaded by dismhost. This is commonly known as a Bypass. UAC attack. Since this particular situation is a race condition, we have to replace the target DLL before dismhost. We examined the entire process more closely and determined that Log. Provider. dll is the last DLL loaded by dismhost. With this information, we can use a WMI event to monitor for the creation of C Userslt username App. DataLocalTemplt guid and then assign that WMI event an action of hijacking Log. Provider. dll by copying our malicious DLL into C Userslt username App. DataLocalTemplt guid and naming it Log. Provider. dll. Since this action happens before dismhost. DLL instead of the intended one. Once dismhost. exe loads the DLL, it will load as high integrity, allowing us to bypass User Access Control and obtain code execution as a high integrity process. After additional testing, this technique does not apply to standard user accounts as cleanmgr. TEMP. When executed as a standard user in low or medium integrity, the task runs as medium integrity and never elevates past that. Matt Graeber mattifestation wrote an excellent Po. C Power. Shell script that will register a WMI event to monitor for the creation of the GUID folder by cleanmgr. DLL and copy it to the GUID folder with the name of Log. Provider. dll. Once dismhost. Log. Provider. dll, it will be our malicious DLL instead of the legitimate one, thus bypassing UAC and giving us code execution in High Integrity context. You can find the script here https gist. To test this, you simply need the Po. C script and a DLL with a standard export of dllmain. For testing, you can either create your own DLL or use a simple Message. Box one located here https github. Message. Box. This technique differs from the other public techniques by having a few benefits that can be handy This technique does not require any process injection, meaning the attack wont get flagged by security solutions that monitor for this type of behavior. There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since the scheduled task copies the required stuff to TEMP, no privileged file copy is required. This technique cleans up after itself. After the scheduled task is done and loads our malicious DLL, the task deletes the GUID folder and files that it created in TEMP. This technique works with the UAC level being set at its highest setting Always Notify since the task is set to run with Highest Privileges. The majority of the public UAC bypasses rely on the IFile. Operation COM object to perform a privileged file copy. IFile. Operation honors the Always Notify UAC setting and prompts when set, causing the privileged file copy to fail This was disclosed to Microsoft Security Response Center MSRC on 0. As expected, they responded by noting that UAC isnt a security boundary, so this doesnt classify as a security vulnerability, as stated here. While not a vulnerability, it does allow an attacker an alternate method to move to high integrity that differs from previous bypasses and introduces one more location or chokepoint that must be monitored to observe attacker behavior. This particular technique can be remediated or fixed by disabling the task or removing the requirement for running with highest privileges. Further, if you would like to monitor for this attack, you could utilize methodssignatures to look for new WMI events as it is required to monitor for new folder creation for this attack to succeed. Combining this with AppDLL whitelisting and monitoring for abnormal modules being loaded e. Sysmon event ID 7 would also limit the success of such an attack. Update As always, users should follow best practices and not use an administrative account for daily computer usage.