Windows UAC - A Bit More Detail

Discussion in 'other software & services' started by itman, Feb 21, 2019.

  1. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,768
    Location:
    Europe then Asia
    @wat0114 this is not the issue with @Rasheed187, he dislike UAC because:

    1- it prompted his favorite tool (Process Explorer), not because UAC is inefficient.
    2- he uses an HIPS, so he find UAC useless compared to it.

    UAC is useless to him, problem is he strongly believes it is also useless to others..
     
    Last edited: Feb 24, 2019
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,765
    Location:
    The Netherlands
    I will try to explain my point of view one more time. You guys have UAC enabled for malware protection purposes right? So this will result in perhaps hundreds of expected UAC alerts per year. The question is: Is it really worth it, when system is already protected with AV and anti-exploitation tools? And like Umbra said, a lot of malware (ransomware, keyloggers, banking trojans) don't even need admin rights.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,768
    Location:
    Europe then Asia
    less needed indeed if you only focus on the malware aspect but i still remind you that UAC is also there to prevent voluntary elevation requests made by unauthorized person.

    but a huge amount of them still need admin rights and are just blocked by UAC at max.
    I will say, if you don't use UAC at max, don't bother to use it at all.
     
  4. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Well in my case, I don't use any security software right now, on all of my computers, as I believe I don't have a reason to, my only security software if you were to call it that, is sandboxie to run non-trusted stuff, and simplewall which is my firewall, that's all. So even tho I don't really need UAC, I use it to follow what the programs are doing. UAC is required for changing many many many settings and different stuff on the pc, not just when elevating a process, you can check the wiki link I sent you which I'm 99.9% sure you didn't check the first time, and scroll down to see some of the stuff that UAC alerts about. Also my pc is lightning fast so the uac prompt for process elevation literally takes a few hundred milliseconds at worst, sooooooo
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    I believe most that frequent Wilders will remember that malware developers were having a "field day" a while back by malicious using eventvwr.exe; one of a slew of like Windows processes that allow for auto-elevation. Microsoft patched the eventvwr.exe issue in Win 10 Anniversary upgrade by internally modifying it to directly run mmc.exe versus eventvwr.msc: https://www.winhelponline.com/blog/...ac-bypass-exploit-windows-10-creators-update/ . Don't know if this ever was like patched in Win 7.

    Well as this recently posted POC shows: http://soclevelone.com/index.php/2019/01/14/bypassing-windows-uac/ , it is still possible to maliciously use eventvwr.exe and also fodhelper.exe as this example shows. At least, this bypass will be detected if UAC is set to max level if running as a limited admin.
     
    Last edited: Mar 3, 2019
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    Exactly, malware authors try to circumvent UAC, because it creates a problem for them, so that itself proves, that UAC is not worthless, it is an additional layer. It is not bulletproof, but neither is any other security solution, otherwise we could just get rid of AVs well, because no AV detects 100% and no firewall blocks all traffic without help. If one relies on UAC, he should focus on preventing bypassing UAC, mostly done by scripts/powershell.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    Last edited: Mar 3, 2019
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    People, who have UAC set to max, would surely not just allow any random alert. I wonder, if CMD would show in the program location the fake long path?
     

    Attached Files:

  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Compile the poc yourself and test it, I currently don't have vs installed cuz I rarely do c++ projects and I clean installed recently, maybe some other time...

    In any case, it will require an executable, and those won't run themselves, so no problem here for me
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    Based on what is posted in the write up:
    I am interpreting this as the name passed to UAC for elevation is C:\Windows\System32\winSAT.exe. In other words, no path manipulation would be obvious in the UAC prompt if indeed it would be displayed. Now winSAT.exe, mmc.exe, etc. all will show UAC prompt when UAC is set to max. level.
     
    Last edited: Mar 3, 2019
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    Need more proof UAC should always be set to max. level. Maybe this code from a Metasploit UAC bypass module will convince you:
    https://cxsecurity.com/issue/WLB-2018120142

    Also: https://www.prodefence.org/multiple-ways-to-bypass-uac-using-metasploit/
     
    Last edited: Mar 3, 2019
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    For those not running at least Win 10 RS5:
    https://tyranidslair.blogspot.com/2018/10/farewell-to-token-stealing-uac-bypass.html
     
  13. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Btw, none of the bypasses in UACME actually work on Always Notify level, at least last when I tested them a few months ago. Currently, only method 34 is supposed to work with always notify and is not fixed. Last time, there was also only 1 method which was working with always notify, must have been either 34 or 35, I don't remember. But in any case, when I tested it, the exe simply crashed and did nothing every time, or the calculator was launched normally. I could not launch an elevated calculator no matter what, I used akagi64 on v1803
     
  14. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,105
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,768
    Location:
    Europe then Asia
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    As far as method 35 goes, it is the bypass I posted in reply #37. I am interpreting this:
    to mean that AlwaysNotify is not a mitigation. Also this has to be done via WMI in Win 10 pre-RS5 ver., so consumer or command event creation is required or via Secondary Logon Service :
    -EDIT- I was wrong about WMI event creation. He is doing the bypass programmatically using C/C++ which will allow you to bypass most of Win's security mechanisms:
    https://tyranidslair.blogspot.com/2017/05/reading-your-way-around-uac-part-3.html
     
    Last edited: Mar 4, 2019
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,443
    Location:
    Canada
    Another informative article on UAC:

    How User Account Control Works

    Partially true, yes. But mainly because I run, as most people probably should, in a Standard User account, but I want to be able to perform administrative tasks from within my SUA by simply entering my credentials from the UAC-generated secure desktop. However, if I'm going to run numerous administrative tasks in a short time, i will log out of my SUA and into my Administrative account to perform those tasks, because I need only to prompt for consent rather than for credentials.
     
    Last edited: Mar 3, 2019
  18. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,768
    Location:
    Europe then Asia
    That is how Windows should be used, it is simple safe practice. You don't do admin/critical stuff on your daily account...
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,443
    Location:
    Canada
    Most of the administrative stuff I'm doing is simply elevating MS apps such as event viewer, group policy editor, process explorer, and so forth. I'm also the only one using my laptop, so I don't need to worry about others such as is the case in corporate environments.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,765
    Location:
    The Netherlands
    I'm not sure yet, but seems like UAC alerts have changed a bit on Win 10. But isn't it true that once you allow some app to run it can do whatever it wants? So it's not like a behavior blocker which is able to block certain stuff even when some app is already running in memory.

    If you run in SUA, then you don't have a choice of course. But for me it wouldn't make any sense to enable UAC. Why deal with hundreds of expected UAC alerts (installing apps, running Process Explorer) when system is already protected? I mean, how big is the risk that some super exploit will blast true all defenses, and even if it does, if the malware doesn't require admin rights, UAC won't even pop up.
     
  21. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,768
    Location:
    Europe then Asia
    Why people still think UAC is a full-fledged security feature. It is not and never will, it is not a BB or whatever.

    UAC just prevents UNWANTED elevation, that is it, so stop mentioning WANTED elevation... This has no place in the discussion.

    When you talk about an AV, you talk about what you want block, not what you allow.

    If some can't handle a click or two a day, (basic users must be insane to do more than 2-3 admin task a day... Even me, i don't.)
    I wonder how can they handle any HIPS that requires 10+ prompts in less than a second for just one app :rolleyes:
    HIPS detect every system modifications, legit or not, it is even worst than UAC...
    It is such an hassle that they had to implement cloud lookup and whitelisting... :thumbd:

    Apps like Process Explorer doesn't need to be ran as admin to perform properly, it does in the case the admin needs deeper infos or do some admin tasks with it that need elevation, which will trigger an UAC prompt.

    Also it is not because people here uses anti-malware solutions that Average Joe does the same, most aren't, so UAC is still affording some security.
    After all, when watching a movie, you get a elevation prompt out-of-the-blue, the natural reflex would be to deny it.

    UAC is all about elevation and denying processes/users to get admin privileges.
    Nothing more nothing less.
    Talking about anything else is erroneous.

    Security forums members' config are niches, they don't reflect Average Joe ones, so discussing about the effectiveness of a features with such config is pointless.
    To evaluate things, it must be done on an "out of the box" system. Tester 101.
     
    Last edited: Mar 10, 2019
  22. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    If you've got an already elevated process, then yes, obviously it won't ask you when it needs to do stuff that requires it to be elevated, such as all those tasks in the UAC wiki link, because it's already elevated
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,546
    Location:
    U.S.A.
    Of note from the above posted Microsoft link:
     
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    This is very bad if true. How are we going to play Forza Motorsport 7, for example?

    (great game btw, if you like racing on tracks you need to try it)
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,765
    Location:
    The Netherlands
    The things is, you make it sound like UAC informs you about why a certain process needs admin rights, while it doesn't. And do you really think that Average Joe knows and cares about this? He/she simply knows that if he doesn't click on yes, then the app won't run or install. That's why I say that all of those expected UAC alerts are pretty pointless.

    Nobody thinks this. The point is, that according to me it's not worth the trouble. And you can't compare it to alerts from HIPS, because you will get to see them only at first app run/install, after that you make rules (allow or deny) and you won't see those alerts again. And again, those alerts are there to inform you about possible malicious behavior. UAC simply informs you about some process wanting to elevate, that doesn't tell anything about some app intentions.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.