Privilege Escalation · Term

What is a UAC bypass?

User Account Control asks for confirmation before an action runs with admin rights. A UAC bypass elevates from a medium-integrity admin to full admin without that prompt. Here is what it is and how it is abused.

Privilege Escalation · TermAll services
TL;DR

A UAC bypass is a Windows technique that elevates an administrator’s process from medium to high integrity without showing the User Account Control prompt. UAC normally makes even admin users run at reduced privilege and consent before elevating. Bypasses abuse auto-elevating system binaries (like fodhelper.exe or eventvwr.exe) that elevate silently, hijacking what they run via the registry. It is technically a same-user integrity jump rather than a cross-user escalation, but it is a common step after gaining an admin foothold.

By John Dill, Red Team Lead, SecureLayer7Updated

What a UAC bypass is

User Account Control (UAC) makes administrators run most actions at medium integrity and prompts for consent before anything runs at high integrity (full admin). It is a barrier, not a strict security boundary, by Microsoft’s own description.

A UAC bypass elevates to high integrity without triggering that prompt. It abuses certain trusted Windows binaries that are configured to auto-elevate silently. By hijacking what one of those binaries executes, an attacker inherits its high-integrity context.

The abuse and payload

The classic bypass hijacks an auto-elevating binary through the registry:

  • The fodhelper technique: create the registry key the binary reads and point it at a command:
  • reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe" /f
  • reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /f
  • run fodhelper.exe, which auto-elevates and runs the hijacked cmd.exe at high integrity.
  • Similar techniques use eventvwr.exe, computerdefaults.exe, and others.

Documented techniques shown for defenders.

How to defend

  • Set UAC to the highest level ("Always notify") to reduce silent auto-elevation.
  • Have users run as standard accounts, not administrators, so a bypass has nothing to elevate.
  • Patch promptly, since Microsoft fixes specific auto-elevation paths over time.
  • Apply application control to block the hijacked commands.
  • Monitor for registry changes under the keys these bypasses abuse (for example ms-settings\Shell\Open\command).

References

  1. [1]Microsoft: How User Account Control works(Microsoft)
  2. [2]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.