Windows 10 UAC Bypass Uses "Apps & Features" Utility

Discussion in 'other security issues & news' started by itman, May 23, 2017.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    You need admin rights for it? I don't. And why do start it 10 times a day btw?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    Exploits are the main reason why people are advised to either run as non-admin or to use UAC as protected admin. Without exploits it would hardly benefit users. And it's not only about the amount of clicks, it's about if alerts are worth it or not.

    It always triggers an alert on my system and so do other tools, mostly system utilities. I use PE to check if everything is OK, and even if I would run it 4 times a day, it's still over a thousand clicks. And all for what? Because of fear for the "super exploit" that will probably bypass UAC anyway?
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    I hardly get an alerts or elevation prompts in my SUA. I must be doing something wrong.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    Something is wrong on your system. I can start PE in my SUA account without any problems. And I just switched to my admin account and started it therein, too, without UAC prompt. And I've set UAC to max.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    Weird, so you're not running any tools that require admin rights and almost never install apps? Then it's probably indeed not a problem, but I still don't see the need for it when it's easy to stay safe as admin.

    Weird, perhaps they have updated PE, will check it out. BTW, I'm using Win 8.1, so perhaps it acts differently on this version.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Were you running under a standard user account? If so, the UAC alert was triggered when the ransomware portion attempted to modify any local admin files.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    Yes I also. I only get them under Admin account when updating software. That's about 10 prompts a week.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    The default mode for Process Explorer is medium integrity i.e. SUA privileges.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    I already figured it out, when running PE in medium mode, it can't display integrity and user-name of all processes. So no choice but to run it as admin.
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,293
    I hardly get any UAC alert in my normal scenario usage, Process Explorer didn't trigger it at all.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Also to get back on track, the issue is that a select number of Win utility processes allow for hidden elevation of privileges. Current malware is exploiting these processes. With UAC set to its default level, these utilities when run as hidden will not generate a UAC prompt. Hence the strong recommendation to set UAC to the max. level.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    Quite frankly, I still don't get it. You said:
    ... but on the other hand:
    Why would one start PE 10 times a day (or only 4 times) unless there is a specific problem? It seems that you are not so confident that you stay safe as admin. Neither would I.;)
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    Right. And in order to stop execution of this malware it's prudent to add SRP (or AppLocker - but I'm not familiar with the latter). I've been using it for years without problems.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    obviously you don't run any software that needs admin rights. And don't trot out the old well change software. That just doesn't work.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    That's just me being paranoid, but that doesn't mean it's not easy staying safe. And even when running in SUA I would still use my system monitoring tools. Also, 10 times a day is of course a bit of a joke, but in general I like to keep an eye on the system. The funny thing is that even Task Manager makes UAC pop up.

    But you never answered my question, are you really that afraid of the "super exploit" that's able to bypass all security tools except SUA? Because that's the main reason why people use SUA and UAC. I sometimes have the feeling that people don't even realize this.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,084
    Location:
    USA
    I'm interested to hear more about why you feel SUA improves security over admin account plus UAC (set to MAX). Is admin + UAC/Max exploitable my malware in a way that SUA is not or is the problem that users give permission to prompts without sufficient scrutiny? From my experience the main problem with UAC is average users don't understand it and click the prompts indiscriminately, which makes it worthless.
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    @Rasheed

    The main reason why people use SUA and UAC is to maintain least privilege...not because they are afraid of "super exploit". Exploit mitigation lies in the kernel improvements made by Microsoft and through the usual updating and patching OS, browsers, etc.

    You really need to re-learn OS basics and best security practices before preaching to the choir. There's no need to brag about how "safe" you can be running as admin when most of us are able to do so too. There's nothing special about running as admin and running 3rd-party tools, HIPS, whatever fancy your boat. We've all done that before. Heck, we can even run those on SUA account. If we can manage to stay "safe" without 3rd-party tools, I think that speaks volumes for itself.
     
  18. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    I'm not Minimalist but I hope you don't mind me chiming in.

    You may want to read this:
    https://www.wilderssecurity.com/threads/reading-your-way-around-uac-3-part-blog.394300/

    Hopefully, it will clear up some misconceptions of what UAC is or isn't; and why SUA unlike UAC is considered a security boundary.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    Guys like you are exactly the reason why I believe people are missing the point. What if exploits and malware didn't exist? Would we then need SUA and UAC on a one user machine? No we wouldn't, so yes it IS about the super exploit that people are so afraid of. Even when they are already using a multi-layered setup they still think they are at risk.

    There's nothing new or special about SUA, no need to feel superior and all smart just because you did choose to use it with or without any third party tools. Most people/noobs don't care for it. I just think it's amusing that people on this forum think it's an absolute must. But perhaps I shouldn't be surprised, it's just another layer to them, and we all love layers.
     
  21. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    @Rasheed

    Guys like you are the ones who are lacking the humility to understand that OS developers and security researchers would not be designing the OS and talking about limiting privileges if they really believe one can run as admin and rely on AE and HIPS to solve all "super exploit" issues....

    I mean seriously...the sheer arrogance of it all befuddles me...

    To make things worse is you are the one running multiple "security" apps and yet have the audacity to imply that people running with UAC or SUA are somehow "afraid" of "super exploit"...

    The irony!
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    Now you're just being silly. We all know why SUA and UAC exist, that's not the discussion. But you seem to lack the ability to understand this. Of course it's needed to restrict other users and can be also used to protect against exploits and malware as a bonus. The question is if an already heavily protected user needs it, I guess it depends on the user. But in general, most browser exploits will be easily tackled with AE and sandbox. Unless you are targeted by elite hackers, but I doubt SUA/UAC will save the day LOL.

    That's why I keep repeating myself, I have always said that with current security tools, there is no need to use SUA. No need to combine security tools + SUA, so if you do, then yes you're pretty paranoid, even more than myself.
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    Well that's how MS explains it and since they are developers, they probably know best? If there is UAC bypass they don't "have to" fix it, since UAC was probably never meant to be "catch them all" solution.
    Personally I don't know of any ITW malware that would bypass admin+UAC on max, but not SUA, but some malware might bypass UAC on default level (which is used by most users).
    As said before, UAC is a tool that can help careful and knowledgeable. Nothing can help people that click Yes to all prompts they get.
     
  24. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    @Rasheed

    You are right. I'm being silly by feeding a troll. Nobody was talking about "super exploit" or other 3rd-party security tools until you came here and sidetrack the discussion as usual with the same rhetoric of how people can stay safe as admin and that UAC is not needed.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    I didn't sidetrack anything, I'm just saying that UAC with default setting is irrelevant when it comes to providing security. That's what this thread is about. And when start to talk about SUA, I ask them if they fear super exploits that can blast to true AE/Sandbox/HIPS and what not. And when you can't answer the question you become frustrated and start accusing people of being trolls, same old same old. :D
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.