UAC Bypass via Auto-Elevate Binaries
privescwindowstool
Summary
When you are in the Administrators group but running at medium integrity, check whether trusted binaries like fodhelper.exe or eventvwr.exe are flagged autoElevate, which makes them candidates for a UAC bypass.
Walkthrough
Use this when your account is part of the Administrators group but the process runs at medium integrity (UAC). Auto-elevating binaries can be abused to launch a high-integrity process.
Steps
- Confirm the binary is marked
autoElevateby searching its contents (e.g.fodhelper.exeoreventvwr.exe). - A positive match indicates the executable auto-elevates and is a candidate for a registry-hijack UAC bypass.
Commands
powershell
powershell -C Get-Content -Path C:\Windows\System32\fodhelper.exe | findstr /I "autoElevate"
powershell
powershell -C Get-Content -Path C:\Windows\System32\eventvwr.exe | findstr /I "autoElevate"