UAC plays defense against Malware

Great.

Could somebody test this in Windows 8?

 

Thank you so much, MrBrian! I'll have to try later (i've no doubt it will work) because my Son has commandeered my computer to play CoD

 

Still doesn't work. Basically pristine virtual machine (VirtualBox, Windows 7 x86, only Guest Additions and an archiver installed). Created a new folder "test" on drive C: and put bypassuac.exe there. Then in a new Command Prompt navigated to that folder and executed that command. Still says is not compatible with this version of Windows.

 

Maybe that executable works only on x64. I don't have a Windows 7 x86 virtual machine to test it on.

 

Tested successfully on Win7x64 vm. The one question I have is how would this work in the real world in disabling UAC? I had to answer the prompt: Yes/No to finalize the UAC disablement.

 

The first and so far only successful test was launched in the administrator account.

From my Standard account using SuRun (first 3 screenshots) to elevate cmd.exe, the test failed. Notice that the attempted command initiated a UAC alert, even though I already elevated cmd.exe with SuRun. Also notice the authentic looking Microsoft certificate detailes.

From my Standard account using UAC to elevate (last screenshot) cmd.exe, the test failed. in this last one it doesn't like the command input, although it's the one I used successfully in the admin account.

In both cases UAC remained at second from top slider level.

 

If malware were doing this, it could use a registry API instead.

Thanks for the other tests . UAC auto-elevation can happen only in an admin account, not a standard account, so I'm not surprised at your results.

 

Okay, thanks. I did enter the credentials in the UAC prompt, but of coourse the UAC disablement was unsuccessful.

BTW, does this maybe prove, at least somewhat, the additional security running from a Standard account can provide? I can and have installed many legit programs from a Standard account mostly elevating with UAC, but this POC would not work when elevating it from the Standard account.

 

Microsoft just needs to make it more user-friendly with easy whitelists or auto-elevate for more people to keep it.

 

It shows that if you're using an admin account with UAC at less than the highest setting, and you encounter malware that successfully uses this technique, then malware can do anything on your computer without triggering a UAC prompt.

There are other UAC-evading techniques that can be used in an admin account even with UAC at max setting, as detailed in this thread.

 

Very good. Thanks again

Yes, I remember that one presented by Didier Stevens.