CompMgmtLauncher.exe UAC Bypass Not Fixed in Windows 10 Build 15007

We saw that the UAC bypass method using Eventvwr.exe is fixed in Windows 10 Creators Update build 15007. But the other identical UAC bypass method using CompMgmtLauncher.exe hasn’t been fixed yet.

CompMgmtLauncher.exe launches compmgmt.msc using ShellExecute, exactly the same way how Eventvwr.exe launches Eventvwr.msc. By creating the same registry key (below) you can run any program as administrator, bypassing the UAC prompt.

HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command

I set the (default) value data to cmd.exe

This time, the target program is launched interactively — this wasn’t the case with eventvwr.exe. In both cases, the target program is started elevated.

compmgmtlauncher uac bypass



Here is a demo PowerShell script to show how this method can be misused.

Hope Microsoft addresses this issue in the upcoming Creators Update.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Reply