Researchers Find Way To Bypass Windows UAC Without Dll File

Researchers Matt Nelson and Matt Graeber have discovered a way to run code on a Windows machine without requiring permission via UAC. The method does not use dll files, which are normally required for such a technique.

Nelson describes the technique on his blog and states that it works on Windows 7 and Windows 10. However, he suspects that the method also works on other versions of the operating system that adopt UAC. The researcher explains to Threatpost that the technique allows a malicious person to execute arbitrary code on a Windows computer. However, to do this, the attacker must already have access to the PC and have administrator rights. This is a ‘post-exploitation’ technique, which can be used if access has already been obtained in another way.

The method uses eventvwr.exe, known in Windows as Event Viewer. The researchers determined that this process invokes certain registry values ​​as a high integrity process. This refers to a process that enjoys more ‘trust’ from the system when it comes to permissions. There is a relationship between the registry values ​​of HKEY_CLASSES_ROOT, or HKCR, and HKEY_CURRENT_USER, or HKCU. The researchers explain that it is therefore possible to influence a process that evokes these values, by adjusting their content.

Event Viewer does just that and uses both values ​​to call mmc.exe, which is the Microsoft Management Console. This process in turn opens the Console file evenvwr.msc and displays the Event Viewer. The link between HKCR and HKCU then allowed the researchers to create a registry structure that caused eventvwr.exe to call a different location. This allowed them to replace mmc.exe with Powershell and run arbitrary code that way.

According to Threatpost, Microsoft has not yet announced whether the problem will be solved. In the past, the company would not have given high priority to ways to get around UAC. It’s possible to avoid this method by setting UAC to “Always notify,” the researchers said.