Petrovic Posted January 18, 2017 Share Posted January 18, 2017 Quote We saw that the UAC bypass method using Eventvwr.exe is fixed in Windows 10 Creators Update build 15007. But the other identical UAC bypass method using CompMgmtLauncher.exe hasn’t been fixed yet. CompMgmtLauncher.exe launches compmgmt.msc using ShellExecute, exactly the same way how Eventvwr.exe launches Eventvwr.msc. By creating the same registry key (below) you can run any program as administrator, bypassing the UAC prompt. HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command I set the (default) value data to cmd.exe This time, the target program is launched interactively — this wasn’t the case with eventvwr.exe. In both cases, the target program is started elevated. Here is a demo PowerShell script to show how this method can be misused. Hope Microsoft addresses this issue in the upcoming Creators Update. Article source Link to comment Share on other sites More sharing options...
ZeroPlus Posted January 18, 2017 Share Posted January 18, 2017 35 minutes ago, Petrovic said: Article source Just for learning purposes... could you give me an example how do i launch with this script example CCleaner without Administator rights ??? Link to comment Share on other sites More sharing options...
masterupc Posted January 18, 2017 Share Posted January 18, 2017 @ZeroPlus There's a checkbox for that in CCleaner... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.