← Back to search

UAC Bypass via Auto-Elevate Binaries

privescwindowstool

Summary

When you are in the Administrators group but running at medium integrity, check whether trusted binaries like fodhelper.exe or eventvwr.exe are flagged autoElevate, which makes them candidates for a UAC bypass.

Walkthrough

Use this when your account is part of the Administrators group but the process runs at medium integrity (UAC). Auto-elevating binaries can be abused to launch a high-integrity process.

Steps

  • Confirm the binary is marked autoElevate by searching its contents (e.g. fodhelper.exe or eventvwr.exe).
  • A positive match indicates the executable auto-elevates and is a candidate for a registry-hijack UAC bypass.

Commands

powershell

powershell -C Get-Content -Path C:\Windows\System32\fodhelper.exe | findstr /I "autoElevate"

powershell

powershell -C Get-Content -Path C:\Windows\System32\eventvwr.exe | findstr /I "autoElevate"