We saw that the UAC bypass method using Eventvwr.exe is fixed in Windows 10 Creators Update build 15007. But the other identical UAC bypass method using CompMgmtLauncher.exe hasn’t been fixed yet.
CompMgmtLauncher.exe launches compmgmt.msc using ShellExecute, exactly the same way how Eventvwr.exe launches Eventvwr.msc. By creating the same registry key (below) you can run any program as administrator, bypassing the UAC prompt.
HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
I set the (default) value data to cmd.exe
This time, the target program is launched interactively — this wasn’t the case with eventvwr.exe. In both cases, the target program is started elevated.
Here is a demo PowerShell script to show how this method can be misused.
Hope Microsoft addresses this issue in the upcoming Creators Update.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
