Hi it's possible to make a simple int main application and use one of these methods like simda etc.. to elevate privilages in my main program? with your project? It looks like very good the project in this case you are using like a loader i think? Maybe the only way is to use this loader separately ? or including in one program made in c++/c or which language? it's to check and learn more these methods.

getting MSVCR120D.dll error, and this does not happen before. any idea what am missing from source, kindly advice

Newly added behavioral signatures targeting the following methods

23 as UacBypassExp.S
30 as UacBypassExp.R
45 as UacBypassExp.N
54 as UacBypassExp.L

Hi,
Your tool is great then which source represents the method 30?
Thanks a lot by advance.

I ran one of the parameters with UACMe (one of the 30s, I think). Since then, every time I run Visual Studio or a program I made in Visual Studio I get a window of cmd and also this message

After I close the message, the program closes.
Weird.
I hope you can help!

I ran exploit 22 and it worked, but now whenever running a program with admin privileges it opens consent.exe in cmd. How do I fix this?

Question, is there anyhow i can check whether UACme has successfully elevated or not ? like return code or something ? so far as i see, return code always returns 0 no matter if it fails or succeeds

Error 2 error MSB3073: The command "\Utils\StripDebug.exe .\output\Win32\Release\Akagi32.exe

But Where is the "\Utils\StripDebug.exe" ?

I can no longer login to my local user account please could you advise me on what needs restoring?

Hi, I really like your project, can I convert your code so it works in PowerShell? I would like to put it in PowerSploit (https://github.com/mattifestation/PowerSploit), and/or in Empire (https://github.com/PowerShellEmpire/Empire)

Thanks, redfast00

The most recent version has the compiled binaries removed from /bin
Are new ones coming or was this a mistake?

Hi, I can not understand the procedure for the DismMethod. I see:

1. Drop dismcore.dll in system32 using iFileOperation
2. Drop .xml file in %temp%
3. Start PkgMgr.exe with parameter /n:%temp%\file.xml
4. ???
5. My program is started with admin rights

What happens in step 4 and where is the path to my program indicated? Thank you.

I've got a fresh install of Win 8.1 and VS 2015 in Virtualbox.

When opening the solution, it says:

The build tools for v141 cannot be found. Install v141 to build using the v141 build tools."

Went to Project - Properties - but there is no "General" submenu at all.
Only "Common Properties" and "Configuration Properties", thats it. So I cant choose anything related to build tools...

Anyone there to help? Thanks!

How can i fix this error?

Severity Code Description Project File Line Suppression State
Error MSB4018 The "NativeCodeAnalysis" task failed unexpectedly.
Microsoft.VisualStudio.CodeAnalysis.AnalysisResults.AnalysisResultException: CA0001 : An unknown error occurred while running Code Analysis. ---> System.IO.DirectoryNotFoundException: Could not find a part of the path 'F:\1MMMMMMMMMMM\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Team Tools\Static Analysis Tools\Rule Sets\SecurityRules.ruleset'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
at System.Xml.XmlTextReaderImpl.FinishInitUriString()
at System.Xml.XmlTextReaderImpl..ctor(String uriStr, XmlReaderSettings settings, XmlParserContext context, XmlResolver uriResolver)
at System.Xml.XmlReaderSettings.CreateReader(String inputUri, XmlParserContext inputContext)
at System.Xml.XmlReader.Create(String inputUri, XmlReaderSettings settings, XmlParserContext inputContext)
at Microsoft.VisualStudio.CodeAnalysis.RuleSets.RuleSetXmlProcessor.ReadFromFile(String filePath)
at Microsoft.VisualStudio.CodeAnalysis.RuleSets.RuleSet.LoadFromFile(String filePath, IEnumerable`1 ruleProviders)
at Microsoft.Build.Tasks.NativeCodeAnalysis.LoadRuleSet(String ruleSetFile)
at Microsoft.Build.Tasks.NativeCodeAnalysis.Execute()
--- End of inner exception stack trace ---
at Microsoft.Build.Tasks.NativeCodeAnalysis.Execute()
at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute()
at Microsoft.Build.BackEnd.TaskBuilder.d__26.MoveNext() Akagi C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Microsoft\VisualStudio\v15.0\CodeAnalysis\Microsoft.CodeAnalysis.targets 379

And is it possible to build single file for both x64 and x86?

https://gist.github.com/homjxi0e/3f130f2ecb270e705afdd5d2955e8b7d

# go to copy Powershell To Desktop and copy Path Powershell after use this command
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Users\harr0ey\Desktop\PCW8E57.xml /skip TRUE
# link file PCW8E57.xml https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml
# video 
https://www.youtube.com/watch?v=7OSbfqUIQBo

ElevationEnabled=Enabled
VirtualizationEnabled=Enabled
InstallerDetectEnabled=Enabled
ConsentPromptBehaviorAdmin=5
PromptOnSecureDesktop=Enabled

WPD Association LUA Virtual Factory
WPD Association LUA Virtual Factory
Portable Device Association
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{00393519-3A67-4507-A2B8-85146167ACA7}

Virtual Factory for Biometrics
Virtual Factory for Biometrics
Biometric Devices
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0142e4d1-fb7a-11dc-ba4a-000ffe7ab428}

CEIPLuaElevationHelper
wercplsupport.dll
Customer Experience Improvement Program
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{01D0A625-782D-4777-8D4E-547E6457FAD5}

CTapiLuaLib Class
AppId{03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}
Phone and Modem
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{03e15b2e-cca6-451c-8fb0-1e2ee37a27dd}

undefined
AppId{642ef9d6-48a5-476b-919a-a507cfd02c0f}
Windows Font Folder
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{08d450b7-f7e5-4424-8229-11888adb7c14}

PersistentZoneIdentifier
AppId{0968e258-16c7-4dba-aa86-462dd61e31a3}
Open File - Security Warning
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0968e258-16c7-4dba-aa86-462dd61e31a3}

RasDlg LUA
RASDLGLUA
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0C3B05FB-3498-40C3-9C03-4B22D735550C}

Wireless Setup Class
Mcx2Setup Class
Windows Media Center Wireless Configuration
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0c98b8bc-273c-464d-938a-b9709607e137}

HNetCfg.FwOpenPort
AppId{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}

ARP CBS Uninstaller Proxy
%SystemRoot%\system32\appwiz.cpl
Uninstall an update
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{0da7bfdf-c0a0-44eb-be82-b7a82c4721de}

WUAppElevator class
Windows Update Agent User Interface
Windows Update
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1138506a-b949-46a7-b6c0-ee26499fdeaf}

VistaWUWebControl Class
Vista Elevated Windows Update Web Control
Windows Update
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{12a66224-5e8a-4679-8941-0b9b960bf5ea}

Virtual Factory for DiagCpl
Virtual Factory for DiagCpl
Troubleshooting
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{12C21EA7-2EB8-4B55-9249-AC243DA8C666}

SPPLUAObject Class
SPPComApi
Software Licensing
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{179CC917-3A82-40E7-9F8C-2FC8A3D2212B}

Share Media Settings Writer
SMLUA
Media streaming options
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{19BA17F2-2602-4E77-9027-103894607626}

Create New Link
AppId{1BA783C1-2A30-4ad3-B928-A9A46C604C28}
Create New Shortcut
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1BA783C1-2A30-4ad3-B928-A9A46C604C28}

Lpksetup LUA Elevation
%systemroot%\system32\lpksetup.exe
Language Pack Installer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1C749B87-568C-4865-8E73-6413F8372CE6}

Shell Indexer Admin Object
AppId{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
Pause Indexing
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1E1714A3-50B9-480b-A94A-636D9A9B56D1}

Parental Controls Override
wpcao.dll
Parental Controls
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1E5300BE-0762-4527-8140-C0FF22DDFC56}

Office Licensing COM Server 15
undefined
Microsoft Office 2013
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1E886174-DC88-4B83-8BC5-66409EC75F15}

Security Shell Extension
rshx32.dll
Permissions editor for files and folders
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1f2e5c40-9550-11ce-99d2-00aa006e086c}

Microsoft Disk Quota UI Elevation Helper
AppId{1fb2a002-4c6c-4de7-85c2-cb8db9a4f728}
Disk Quota Settings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1fb2a002-4c6c-4de7-85c2-cb8db9a4f728}

Detection And Sharing
DetectionAndSharing
Network discovery and file sharing
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{1fda955b-61ff-11da-978c-0008744faab7}

Sensors Sensor Configuration Helper
Sensors Sensor Configuration Helper
Location and Other Sensors
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{2331D136-E39D-4019-92D6-7CE5579962FB}

WUPublishedAppInstallorElevator Class
Windows Update Agent User Interface for Published Applications
Windows Update Published Application Installer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{26D32566-760A-40A2-AA82-A40366528916}

FaultrepElevatedDataCollection
faultrep.dll
Windows Problem Reporting
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{2C256447-3F0D-4CBB-9D12-575BB20CDA0A}

HNetCfg.FwRule
AppId{2C5BC43E-3369-4C33-AB0C-BE9469677AF4}
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{2C5BC43E-3369-4C33-AB0C-BE9469677AF4}

Advanced Indexing Options Dialog Object
AppId{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
Advanced Indexing Options
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{2F2165FF-2C2D-4612-87B2-CC8E5002EF4C}

HNetCfg.FwMgr
AppId{304CE942-6E39-40D8-943A-B913C40C9CD4}
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{304CE942-6E39-40D8-943A-B913C40C9CD4}

CtTuner Class
cttunesvr
Microsoft ClearType Tuner
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF}

Mcx2Install Class
Mcx2Setup Class
Media Center Extender Install
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{3630AB4B-C0D2-4C1B-B7E7-73A2CF9A4521}

Office 15 Microsoft Update Opt-In
AppId{37B05236-FFB5-4D42-B0C8-4A36CBF1BE15}
Microsoft Update
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{37B05236-FFB5-4D42-B0C8-4A36CBF1BE15}

Device Pairing Handler Class
DevicePairingHandler.dll
Add a device
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{383b69fa-5486-49da-91f5-d63c24c8e9d0}

Copy/Move/Rename/Delete/Link Object
AppId{3ad05575-8857-4850-9277-11b85bdb8e09}
File Operation
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{3ad05575-8857-4850-9277-11b85bdb8e09}

CMLUAUTIL
CMLUAUTIL
Connection Manager
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{3E000D72-A845-4CD9-BD83-80C07C3B881F}

CMSTPLUA
CMSTPLUA
Connection Manager
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

AccesibilityCplAdmin Class
AccessibilityCplAdmin
Ease of Access Administrative Settings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{434A6274-C539-4E99-88FC-44206D942775}

Manage Network Names
AppId{44C39C96-0167-478F-B68D-783294A2545D}
Manage Network List
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{44C39C96-0167-478F-B68D-783294A2545D}

Home Networking Configuration Manager
AppId{46C166AA-3108-11D4-9348-00C04F8EEB71}
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{46C166AA-3108-11D4-9348-00C04F8EEB71}

CIEContentAdvisorBroker
AppId{27170d71-7a40-4c8b-a3d1-64f7cbe81c66}
Content Advisor
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{46CB32FA-B5CA-8A3A-62CA-A7023C0496C5}

RasGcw LUA
RASGCWLUA
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{4A6B8BAD-9872-4525-A812-71A52367DC17}

CIERegistryHKLMBroker
AppId{27170d71-7a40-4c8b-a3d1-64f7cbe81c66}
Internet Explorer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{4b360c3c-d284-4384-abcc-ef133e1445da}

ERCLuaElevationHelper
wercplsupport.dll
Problem Reporting
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{4BC67F23-D805-4384-BCA3-6F1EDFF50E2C}

Shell Security Editor
Shell Security Editor
Edit Security
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{4D111E08-CBF7-4f12-A926-2C7920AF52FC}

AddMdmObj Class
UICOM
Add modems
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{4DF929E7-4C5E-4587-A598-7ED7B3D6E462}

LayerUIPropPage
acppage.dll
Program Compatibility
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}

Region and Language UAC Elevation
%systemroot%\system32\intl.cpl
Region and Language
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{514B5E31-5596-422F-BE58-D804464683B5}

FaxCommon Class
FaxCommon Class
Windows Fax and Scan
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{59347292-B72D-41F2-98C5-E9ACA1B247A2}

IE Spelling Dictionary Installer Broker
AppId{27170d71-7a40-4c8b-a3d1-64f7cbe81c66}
IE Spelling Dictionary Installer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{5bbd58bb-993e-4c17-8af6-3af8e908fca8}

Virtual Factory for Display
Virtual Factory for Display CPL
Display
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{5D05A4EB-54EA-4B7F-A28D-CE51F6BCBAF2}

Mount Point Rename
AppId{60173D16-A550-47f0-A14B-C6F9E4DA0831}
Rename Drive
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{60173D16-A550-47f0-A14B-C6F9E4DA0831}

Windows Data Burn
AppId{66eea0f5-001a-4073-a496-783f86fcf4c0}
Windows Data Burn
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{66eea0f5-001a-4073-a496-783f86fcf4c0}

NAP Elevated class
Nap Elevated COM class
Network Access Protection
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{677126ed-2a91-40ff-8c52-06181c064573}

Sensors CPL Change Device Permission LUA Helper
Sensors CPL Change Device Permission LUA Helper
Location and Other Sensors
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{6CE51F75-0448-438e-B9CA-69C352A248A7}

Advanced Indexing Options Dialog Object
AppId{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
Common Indexed Locations Settings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{6D3951EB-0B07-4fb8-B703-7C5CEE0DB578}

LAN Connection UI Class
AppId{7007ACC5-3202-11D1-AAD2-00805FC1270E}
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7007ACC5-3202-11D1-AAD2-00805FC1270E}

Network Common Connections Ui
AppId{7007ACD1-3202-11D1-AAD2-00805FC1270E}
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7007ACD1-3202-11D1-AAD2-00805FC1270E}

Windows SideShow AutoWake Configuration Helper
Windows SideShow AutoWake Configuration Helper
Windows SideShow
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{71B804C5-5577-471D-8FE5-C4A45B654EB8}

Sharing Elevated Virtual Factory
Sharing Elevated Virtual Factory
Windows File Sharing
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{72A7994A-3092-4054-B6BE-08FF81AEEFFC}

FwCpl LUA
FwCplLUA
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{752438CB-E941-433F-BCB4-8B7D2329F0C8}

Connect to a Network Projector
NetProjW
Connect to a Network Projector
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{76052C5C-2EB4-4C40-B1F1-2A5C8554590A}

Sensors CPL Change Description LUA Helper
Sensors CPL Change Description LUA Helper
Location and Other Sensors
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{76AE5F57-B7C9-421f-B55E-FB25144317B6}

Indexer Status Update Object
AppId{76be8257-c4c0-4d37-90c0-a23372254d27}
Update Indexer Status
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{76be8257-c4c0-4d37-90c0-a23372254d27}

XWizard Task Stub
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA815-2498-4875-933A-3067DE883070}

XWizard Page Stub
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA816-2498-4875-933A-3067DE883070}

XWizard Virtual Factory
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA81A-2498-4875-933A-3067DE883070}

Private XWizard Registration Manager Class
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA8F5-2498-4875-933A-3067DE883070}

Private XWizard Factory Registration Manager Class
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA8F9-2498-4875-933A-3067DE883070}

Private XWizard Type Registration Manager Class
XWizard Virtual Factory
The wizard program needs permission to access to your system
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{777BA8FB-2498-4875-933A-3067DE883070}

Network and Sharing Center Cpl Elevated Virtual Factory
Network and Sharing Center Cpl Elevated Virtual Factory
Network and Sharing Center
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7A076CE1-4B31-452a-A4F1-0304C8738100}

Shell FMIFS Wrapper
Shell FMIFS Wrapper
Format Drive
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7aa7790d-75d7-484b-98a1-3913d022091d}

HomeGroup Password
provsvc.dll
HomeGroup Password
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7be73787-ce71-4b33-b4c8-00d32b54bea8}

HomeGroup Printing Device Class
HomeGroup Printing Device Class
Install Homegroup Printer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7DF8EF76-D449-485f-B4EB-58DC96B31EDB}

Setup Controller 15
undefined
Contrôleur d’installation
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{7EA9A8FA-F5D2-49E1-99E8-C26EE07FCE15}

WlanConn LUA
WlanConn
Connect to a network wizard
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{868A2E25-D6C1-450b-8510-734A4AFEE8BC}

Virtual Factory for Usercpl
Virtual Factory for Usercpl
User Accounts Control Panel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{86d5eb8a-859f-4c7b-a76b-2bd819b7a850}

CElevateWlanUi
CElevateWlanUi
Wireless Network Properties
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{86F80216-5DD6-4F43-953B-35EF40A35AEE}

X509 Enrollment Helper
undefined
X509 Enrollment Helper
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{884e2050-217d-11da-b2a4-000e7bbb2b09}

Virtual Factory for Action Center CPL
Virtual Factory for Action Center CPL
Action Center
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{8D26D9AA-5DA8-4b95-949A-B74954A229A6}

Virtual Factory for Recovery
Virtual Factory for Recovery
Recovery
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{9200689A-F979-4eea-8830-0E1D6B74821F}

Default Location CPL Data Handler LUA Helper
Default Location CPL Data Handler LUA Helper
Default Location
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{9A630456-078D-43d3-9F1D-DF7A5BC0FA44}

Date and Time Properties
timedate.cpl
Date and Time
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}

undefined
AppId{A0ADD4EC-5BD3-4f70-A47B-07797A45C635}
Offline Files
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A0ADD4EC-5BD3-4f70-A47B-07797A45C635}

WlanPref LUA
WlanPrefLUA
Manage Wireless Networks
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A25821B5-F310-41BD-806F-5864CC441B78}

Microsoft Windows Defender
Microsoft Windows Defender
Windows Defender
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A2D75874-6750-4931-94C1-C99D3BC9D0C7}

Windows Parental Controls
Windows Parental Controls
Parental Controls
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A2D8CFE7-7BA4-4bad-B86B-851376B59134}

Virtual Factory for Windows Firewall Cpl
Virtual Factory for Windows Firewall Cpl
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A4B07E49-6567-4FB8-8D39-01920E3B2357}

Shell ChkdskEx Dialog
Shell ChkdskEx Dialog
Check Disk
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{a4c31131-ff70-4984-afd6-0609ced53ad6}

Mcx2Uninstall Class
Mcx2Setup Class
Media Center Extender Uninstall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A4E118DF-B9E5-4B42-888C-065CEAF8DDC3}

Secure Startup
%SystemRoot%\System32\fveui.dll
BitLocker Drive Encryption
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}

RemMdmObj Class
UICOM
Remove modems
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{A9710FB5-1840-4224-BD42-86831E28E43A}

MBN Pin Unblock page
WwanAdvui
Mobile broadband PIN unblock
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{b70cc729-28ae-11dd-9676-000000000000}

Connection Manager LUA Host Object
AppId{BA126F01-2166-11D1-B1D0-00805FC1270E}
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{BA126F01-2166-11D1-B1D0-00805FC1270E}

WlanAdhoc LUA
WlanPrefLUA
Adhoc Wireless Network
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{BB2D41DF-7E34-4F06-8F51-007C9CAD36BE}

Virtual Factory for Power Options Control Panel
Virtual Factory for Power Options Control Panel
Power Options Control Panel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{BBD8C065-5E6C-4e88-BFD7-BE3E6D1C063B}

DfsShellAdmin Class
DfsShlEx.dll
DFS Shell Extension
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{BCEA735B-4DAC-4B71-9C47-1D560AFD2A9B}

Internet Explorer Add-on Installer
AppId{7B29F495-0F55-49F7-8885-9E8A22CE3829}
Internet Explorer Add-on Installer
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{bdb57ff2-79b9-4205-9447-f5fe85f37312}

WPD PnPX Association Manager Class
undefined
undefined
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{BFD6C433-4B17-4F6D-A93C-B03FCC4E586E}

Network Center LUA
NCLUA
Network and Sharing Center
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{C0DCC3A6-BE26-4bad-9833-61DFACE1A8DB}

WCN Elevation Helper
AppId{C100BEBB-D33A-4a4b-BF23-BBEF4663D017}
Read a Network Profile
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{C100BEBB-D33A-4a4b-BF23-BBEF4663D017}

Network Diagnostics Framework
NDFAPI
Windows Network Diagnostics
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{C529C7EF-A3AF-45F2-8A47-767B33AA5CC0}

PNPX Association Class
PNPXAssoc.dll
PnPX Device Association
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{cee8ccc9-4f6b-4469-a235-5a22869eef03}

ColorDataProxy
AppId{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}
Color Management
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}

Windows SideShow Device Configuration Helper
Windows SideShow Device Configuration Helper
Windows SideShow
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}

CIEInetcplRasBroker
AppId{27170d71-7a40-4c8b-a3d1-64f7cbe81c66}
Network Connections Deletion Tool
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{d63c23c5-53e6-48d5-adda-a385b6bb9c7b}

Bluewire Elevated Unpairing Handler
Bluewire unpairing elevation surrogate
Add or remove a device
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{D88EC52B-8D57-49e1-9EB3-4D267D68A2AE}

Advanced Configuration Dialog
AppId{DCED8DB0-11A5-4b16-AB9D-4E28CA38C99F}
Network Connections
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{DCED8DB0-11A5-4b16-AB9D-4E28CA38C99F}

SDChangeObj Class
sdchange
Remote Assistance Secure Desktop Disable
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{E1BA41AD-4A1D-418F-AABA-3D1196B423D3}

HNetCfg.FwPolicy2
AppId{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

Security Center
wscui.cpl
Action Center
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{E9495B87-D950-4ab5-87A5-FF6D70BF3E90}

File Prop Sheet Page Helper
AppId{E96767E0-7EAA-45e1-8E7D-64414AFF281A}
Apply File Attributes
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{E96767E0-7EAA-45e1-8E7D-64414AFF281A}

User Account Control Settings
%systemroot%\System32\UserAccountControlSettings.dll
User Account Control Settings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}

HNetCfg.FwAuthorizedApplication
AppId{EC9846B3-2762-4A6B-A214-6ACB603462D2}
Windows Firewall
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{EC9846B3-2762-4A6B-A214-6ACB603462D2}

PerfCenter Enabler
PerfCenter Enabler
Performance Problems
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{f4be747e-45c4-4701-90f1-d49d9ac30248}

Internet Shortcut
AppId{FBF23B40-E3F0-101B-8488-00AA003E56F8}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{FBF23B40-E3F0-101B-8488-00AA003E56F8}

ARP UninstallString Launcher
appwiz.cpl
Uninstall or change an application
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{FCC74B77-EC3E-4dd8-A80B-008A702075A9}

Elevatable Shortcut
AppId{ff9e6131-a8c1-4188-aa03-82e9f10a05a8}
Save Shortcut Properties
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{ff9e6131-a8c1-4188-aa03-82e9f10a05a8}

HomeGroup CPL Advanced Settings Writer
HomeGroup CPL Advanced Settings Writer
Advanced sharing settings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID{ffe1df5f-9f06-46d3-af27-f1fc10d63892}

================================================

ManagementConsole: mmc.exe
SnapinFile: adfs.msc
SnapinFile: admgmt.msc
SnapinFile: adrmsadmin.msc
SnapinFile: adsiedit.msc
SnapinFile: appsrv.msc
SnapinFile: appsrv64.msc
SnapinFile: azman.msc
SnapinFile: certmgr.msc
SnapinFile: certsrv.msc
SnapinFile: certtmpl.msc
SnapinFile: ciadmin.msc
SnapinFile: ciadv.msc
SnapinFile: cluadmin.msc
SnapinFile: comexp.msc
SnapinFile: compmgmt.msc
SnapinFile: da6to4.msc
SnapinFile: daiphttps.msc
SnapinFile: daipsecdos.msc
SnapinFile: daisatap.msc
SnapinFile: damgmt.msc
SnapinFile: datrdr.msc
SnapinFile: datrds.msc
SnapinFile: devmgmt.msc
SnapinFile: dfsgui.msc
SnapinFile: dfsmgmt.msc
SnapinFile: dhcpmgmt.msc
SnapinFile: diskmgmt.msc
SnapinFile: dnsmgmt.msc
SnapinFile: domain.msc
SnapinFile: dsa.msc
SnapinFile: dssite.msc
SnapinFile: eventvwr.msc
SnapinFile: failoverclusters.snapinhelper.msc
SnapinFile: fsmgmt.msc
SnapinFile: fsrm.msc
SnapinFile: fxsadmin.msc
SnapinFile: gpedit.msc
SnapinFile: gpmc.msc
SnapinFile: gpme.msc
SnapinFile: gptedit.msc
SnapinFile: hcscfg.msc
SnapinFile: idmumgmt.msc
SnapinFile: iis.msc
SnapinFile: iis6.msc
SnapinFile: ilr.msc
SnapinFile: ipaddrmgmt.msc
SnapinFile: lsdiag.msc
SnapinFile: lusrmgr.msc
SnapinFile: napclcfg.msc
SnapinFile: nfsmgmt.msc
SnapinFile: nps.msc
SnapinFile: ntwkmgmt.msc
SnapinFile: ocsp.msc
SnapinFile: perfmon.msc
SnapinFile: pkiview.msc
SnapinFile: pkmgmt.msc
SnapinFile: printmanagement.msc
SnapinFile: remoteprograms.msc
SnapinFile: rrasmgmt.msc
SnapinFile: rsadmin.msc
SnapinFile: rsop.msc
SnapinFile: sanmmc.msc
SnapinFile: sbmgr.msc
SnapinFile: scanmanagement.msc
SnapinFile: schmmgmt.msc
SnapinFile: secpol.msc
SnapinFile: servermanager.msc
SnapinFile: services.msc
SnapinFile: storagemgmt.msc
SnapinFile: storexpl.msc
SnapinFile: tapimgmt.msc
SnapinFile: taskschd.msc
SnapinFile: tpm.msc
SnapinFile: tsadmin.msc
SnapinFile: tsconfig.msc
SnapinFile: tsgateway.msc
SnapinFile: tsmmc.msc
SnapinFile: virtmgmt.msc
SnapinFile: wbadmin.msc
SnapinFile: wdsmgmt.msc
SnapinFile: wf.msc
SnapinFile: winsmgmt.msc
SnapinFile: wmimgmt.msc
SnapinFile: wsrm.msc

C:\Windows\ehome\Mcx2Prov.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\AdapterTroubleshooter.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\bthudtask.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\chkntfs.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\cleanmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\cliconfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\CompMgmtLauncher.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\ComputerDefaults.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\dccw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\dcomcnfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\DeviceEject.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\DeviceProperties.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\dfrgui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\djoin.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\eudcedit.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\eventvwr.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\FXSUNATD.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\hdwwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\iscsicli.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\iscsicpl.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\lpksetup.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\MdSched.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\msconfig.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\msdt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\msra.exe
asInvoker
uiAccess=TRUE
autoElevate=TRUE

C:\Windows\System32\MultiDigiMon.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\Netplwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\newdev.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\ocsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\odbcad32.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\OptionalFeatures.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\printui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\recdisc.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\sdclt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\shrpubw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\slui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SndVol.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesAdvanced.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesComputerName.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesHardware.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesPerformance.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesProtection.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\SystemPropertiesRemote.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\taskmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\tcmsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\TpmInit.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\verifier.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\WindowsAnytimeUpgrade.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\wisptis.exe
asInvoker
uiAccess=TRUE
autoElevate=TRUE

C:\Windows\System32\wusa.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_ca26c6da62d71ca8\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\oobe\setupsqm.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\System32\sysprep\sysprep.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\AdapterTroubleshooter.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\bthudtask.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\chkntfs.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\cleanmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\cliconfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\ComputerDefaults.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\dccw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\dcomcnfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\DeviceProperties.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\dfrgui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\eudcedit.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\eventvwr.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\hdwwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\iscsicli.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\iscsicpl.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\msdt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\Netplwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\newdev.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\ocsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\odbcad32.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\OptionalFeatures.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\printui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\shrpubw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SndVol.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesHardware.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesProtection.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\SystemPropertiesRemote.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\taskmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\tcmsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\TpmInit.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\verifier.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\SysWOW64\wusa.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17514_none_d06ac9aad230c1d6\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17607_none_d0789c5ad225ef11\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17889_none_d024215ad264fb95\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.21716_none_d0f668efeb4c9175\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.22046_none_d0d5d519eb6512d8\fsquirt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\eventvwr.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_2df6395b9cf7e9a5\AdapterTroubleshooter.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgrade_31bf3856ad364e35_6.1.7600.16385_none_fb591b6cf023ade3\WindowsAnytimeUpgrade.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_244e76d61e1989e5\SndVol.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_c33f455aebcd9dbb\bthudtask.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-c..utermanagerlauncher_31bf3856ad364e35_6.1.7600.16385_none_ea0a643b0e032c19\CompMgmtLauncher.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-com-complus-ui_31bf3856ad364e35_6.1.7600.16385_none_0c9cb55c61e99805\dcomcnfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_626b9352dcfa715c\ComputerDefaults.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\dfrgui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_1660ccbeb66c6cf1\verifier.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcx2prov_31bf3856ad364e35_6.1.7600.16385_none_3482237b32c1daff\Mcx2Prov.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSUNATD.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86\iscsicli.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_6.1.7600.16385_none_76e39d87a834545e\dccw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7600.16385_none_a61138e7aab17fed\ieUnatt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.7600.16385_none_6425238b793ee910\PDMSetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_33e01c5875c2e5cb\iscsicpl.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5\hdwwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4\odbcad32.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_cc12387f7062eb3b\cliconfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-m..diagnostic-schedule_31bf3856ad364e35_6.1.7601.17514_none_f1fca1ab90570e8a\MdSched.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.18741_none_fa61b10d237c5081\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.19091_none_fa2b7d5f23a509c6\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.22948_none_faf251c43c939ed3\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.23290_none_fab41bc63cc38d60\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.23471_none_facabfb43cb26923\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.1.7601.17514_none_38a043f2b45f9ad2\msconfig.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0177539a37378025\msdt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_6.1.7600.16385_none_494ba66d2a12efc3\Netplwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_c25bebf1075ff6aa\OptionalFeatures.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_3df12febe293ce5d\tcmsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d\printui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.17514_none_4e297fab940bc0e5\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.23488_none_4e6b3ccead5ec296\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.23841_none_fa95c5ffd0cc4f79\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_6.1.7600.16385_none_44d62330646f757a\DeviceEject.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2\recdisc.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\msra.exe
asInvoker
uiAccess=TRUE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_25d85b4a3e4a7709\SystemPropertiesDataExecutionPrevention.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_533d797efdf7728b\SystemPropertiesAdvanced.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_9cef76e6ecab612f\SystemPropertiesHardware.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_8c6823f855ef04a5\SystemPropertiesComputerName.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_bfa748753634ba48\SystemPropertiesProtection.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7601.17514_none_832fc1bb7d681e0d\sdclt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_6.1.7601.17514_none_b5ac5cc3a1b7e9ef\BitLockerWizardElev.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\setupsqm.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\shrpubw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-sysprep_31bf3856ad364e35_6.1.7600.16385_none_4b73926c122be805\sysprep.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\SystemPropertiesRemote.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17514_none_a505d556c9de886a\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17836_none_a4f23bc4c9ecea6f\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18711_none_a502c17cc9e15054\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18715_none_a506c2a4c9ddb5b0\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18717_none_a508c338c9dbe85e\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18741_none_a4e251b8c9f9a427\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18869_none_a4d4b616ca02a3e8\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18923_none_a4f9f5f0c9e79941\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18933_none_a4ef2604c9efb532\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.18939_none_a4f527c0c9ea4d3c\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.19135_none_a4f100a0c9ee1849\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.21988_none_a547c987e331489c\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.22917_none_a59261e9e2f9854f\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.22921_none_a5819041e3070936\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.22923_none_a58390d5e3053be4\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.22948_none_a572f26fe310f279\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23072_none_a54c5911e32ee184\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23126_none_a5866bbbe302b852\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23136_none_a57b9bcfe30ad443\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23142_none_a56ccabbe3168ad8\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23338_none_a57da02fe309013f\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23391_none_a535bea1e33ff784\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23392_none_a536beebe33f10db\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23418_none_a59341ede2f8c684\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23539_none_a57ea445e30814e4\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23543_none_a56dd29de31598cb\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23569_none_a55e3481e32068b7\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23572_none_a54c628fe32ed347\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23677_none_a55165e7e32a4f21\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23714_none_a58f4677e2fc589d\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23796_none_a53ac7abe33b6ad3\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23807_none_a59d1927e2f185d8\rstrui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7601.17514_none_7d0125c85cc31d2a\rdpshell.exe
asInvoker
uiAccess=TRUE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-t..platform-input-core_31bf3856ad364e35_6.1.7601.17514_none_2f3651e7f36d703f\wisptis.exe
asInvoker
uiAccess=TRUE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_6.1.7601.17514_none_3d9977977190cdc4\MultiDigiMon.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_d3720895f8f22acd\TpmInit.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_6.1.7601.17514_none_113aea0e8374286d\djoin.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\amd64_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_0b2696ec2f3c656d\wusa.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.23807_none_a59d1927e2f185d8_rstrui.exe_dfa7225b
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5_hdwwiz.exe_b6a1c2df
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2_recdisc.exe_20690b49
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsicli.exe_20e14d4f
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a_newdev.exe_7eb73dcd
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_printui.exe_bb673fff
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsicli.exe_20e14d4f
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.exe_7eb73dcd
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_5b41740051c4eca4\eventvwr.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\sdbinst.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_cd93efad202e5fb6\bthudtask.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81\iscsicli.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-icm-dccw_31bf3856ad364e35_6.1.7600.16385_none_813847d9dc951659\dccw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7601.17514_none_b296f701dc00c582\ieUnatt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.18741_none_04b65b5f57dd127c\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.19091_none_048027b15805cbc1\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.22948_none_0546fc1670f460ce\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.23290_none_0508c61871244f5b\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.23471_none_051f6a0671132b1e\rrinstaller.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\msdt.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728\printui.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.23841_none_04ea7052052d1174\perfmon.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_d1d79dd7e49a786f\AdapterTroubleshooter.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_c82fdb5265bc18af\SndVol.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_1898d1bbe9180b39\chkntfs.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_6d1a8c84bedf66a4\cleanmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-com-complus-ui_31bf3856ad364e35_6.1.7600.16385_none_b07e19d8a98c26cf\dcomcnfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_064cf7cf249d0026\ComputerDefaults.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_9b1d78a9ee870c74\dfrgui.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_ea20b9269b3c9a2c\DeviceProperties.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_ba42313afe0efbbb\verifier.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_5b9fee911dc04044\eudcedit.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.7601.17514_none_0a379bcfbdcffb74\PDMSetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_d7c180d4bd657495\iscsicpl.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf\hdwwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_44263d819f0aa19e\odbcad32.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_6ff39cfbb8057a05\cliconfg.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-netplwiz-exe_31bf3856ad364e35_6.1.7600.16385_none_ed2d0ae971b57e8d\Netplwiz.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\newdev.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_e5849be1bd89e07e\ocsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_663d506d4f028574\OptionalFeatures.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_e1d294682a365d27\tcmsetup.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.17514_none_f20ae427dbae4faf\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-ntprint_31bf3856ad364e35_6.1.7601.23488_none_f24ca14af5015160\ntprint.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_c9b9bfc685ed05d3\SystemPropertiesDataExecutionPrevention.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_f71eddfb459a0155\SystemPropertiesAdvanced.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\SystemPropertiesHardware.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_5aad0353642dd29f\SystemPropertiesPerformance.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_304988749d91936f\SystemPropertiesComputerName.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_6388acf17dd74912\SystemPropertiesProtection.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\shrpubw.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\SystemPropertiesRemote.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe
asInvoker
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_77536d124094b997\TpmInit.exe
highestAvailable
uiAccess=FALSE
autoElevate=TRUE

C:\Windows\winsxs\x86_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_af07fb6876def437\wusa.exe
requireAdministrator
uiAccess=FALSE
autoElevate=TRUE

================================================

Method #27 IARPUninstallStringLauncher incorrectly handles return value of RegCreateKeyEx and RegSetValueEx.

this message popup when I tried to test a test account with specified privileges

Hi,

It seems as though the functions sxsFilePathNoSlash and sxsFindLoaderEntry are defined in both util.c and sup.c. Commenting them out in one file or the other solves the problem, but I was just wondering whether both files are really necessary? If so, which one should have its defs of sxsFilePathNoSlash and sxsFindLoaderEntry removed?

MTIA! :-)

Hey, im new to all of this stuff, is there a bypass working for windows 10 right now? if so what do i compile and how do i compile it?

Please show how you generated the massive hex array.

I tried compiling the code in release with vs2015 and it fails with a
LINK2001 : unresolved external symbol __iob_func

I did add the following in the main.c

include <stdio.h>

wprintf("some message");

I tried googling and found many useless references.

Not work after build (((

Method 32 (ucmUiAccessMethod)

• Windows Media Player component removed from OS
• Fix: since appinfo g_lpIncludedPFDirs wasn't updated you can re-create target dir in program files and use it as placeholder again, fixed in v 3.0.1

Method 48 (ucmSPPLUAObjectMethod)
* rrinstaller.exe component removed from OS
* Fix: switch to other autoelevated target

• Fixed in 17763 by altering CSLLUAComInstance::SLLUARegKeySetValue with
  E_NOTIMPL

Method 50 (ucmDateTimeStateWriterMethod)
* Need investigation
As it depends on Method 48 it won't work either.

Managed to build Akagi in Virtualbox - Win 7 + VS 2017. No errors

But when I'm launching it in the same barebone Win 7 (mid-2015, no updates) environment,
it throws an error about VCruntime dll.... Can I change the build options or statically link or something? In the realworld scenario, with many Win7, Win 8.1, Win 10, not all of them would have VCR dll either, right?

method 20, isnt working(blocked by UAC). method 21 isnt working because sysprep isnt found, and 23 is also blocked by uac.

(23). [file] %systemroot%\System32\dismcore.dll
(36). [multiple files] MSCOREE.dll (in various paths recorded in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\KnownFunctionTableDlls, e.g. C:\Windows\Microsoft.NET\Framework64\v2.0.50727\)
(37). [folder] %systemroot%\System32\dccw.exe.local
(43). [registry] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration\DisplayCalibrator
I'm not sure if (36) and (37) left residual file by mistaken or intended or some thing incorrect with my PC configure, but the other two did not implement cleanup.
PS. Residual file left by (36) may cause any .NET program cannot start properly after system restart.
Environment: Build 17692

Hi hfiref0x,
I love your project and I want to ask you a question regarding methods 21 and 22, during the DLL hijacking how do you perform the forwarding to the legit DLL?

I ask you this because I've developed a WinSxS bypass UAC abusing dccw.exe (PoC in my github: github.com/L3cr0f/DccwBypassUAC) and the only way I found to do so was using '#pragma comment (linker, "/export...', but you don't use it.

PD: If you want to integrate my PoC in UACME, I'll be really happy :)

Thank you beforehand.

Would it be possible to allow more than 2 parameters, so that it can be committed a parameter to the elevated program? Like "akagi64.exe 3 notepad.exe c:\Windows\System32\drivers\etc\hosts"
Currently the parameter "c:\Windows\System32\drivers\etc\hosts" is not passed to notepad.exe.

This is a very interesting repository.
I've found it very complicated to take one particular method and use it in another project/exe.
For example, I wanted to use method 35 in my own exe, and make it auto elevate itself if it's not executed as administrator.
To be honest, in the first place, it was a little trouble to find out where to look for it. After finding the correct c file, I figured out it won't work just by copy & pasting the function.
There are dependencies (other functions) and also some header files for Nt*** and Rtl*** functions.

Sorry for newbies questions:

1. Is it possible to use on of this methods in regular windows applications? Because I guess some of this functions are not accessible.
2. Which files and headers should I include to make them work?
3. Do you mind to separate each method in feature for more reusability?

You did a great job here, thanks in advance.

For example a command line like this:

"C:\Program Files\xxx\yyy.exe" "d:\path include space\my.data"

Akagi64.exe 35 ?????

Hey:)

• Using method 36 the DLLs used for hijacking (in the .NET directory) are not cleaned, Thus every .NET executable that is opened after running this method is replaced with an instance of cmd.exe.
• The DLLs can be MSCOREE.dll or OLE32.dll.
• I would have fixed this issue myself but Akagi cannot remove the DLL because it needs to be elevated (lol), I thought the correct way to fix this is using the payload DLL to remove itself somehow. What do you think?

Would it be possible to allow more than 2 parameters, so that it can be committed a parameter to the elevated program? Like "akagi64.exe 3 notepad.exe c:\Windows\System32\drivers\etc\hosts"
Currently the parameter "c:\Windows\System32\drivers\etc\hosts" is not passed to notepad.exe.

This is a request #7 from 7 Jul 2016, which was closed without comment.
Version 2.5.5. was testet therefore but the third parameter did not pass.

method 55 not in UACME build, tried on win10 x64 still request parameter input while its correct

There is a typo in the target of method 29 and method 31: sdctl.exe -> sdclt.exe.

Hello. Thank you for this amazing project! Where I can exactly find methods to look on exploits PoC directly? All code is looks very huge and difficult to understand. For example I want to know how exactly 52 method works. I've not found it here Source/Akagi/methods. I'm also wanted to know - do this all methods written to return elevated to current handle? So every method in Source/Akagi/methods will result in returning elevated privs to process which calls it?

Hey, I have a general question about the implementation of UACME. I've noticed you use the ntdll.dll api directly (by using ntos.h..). Why do you use this api and not Win32? For example, you use the following functions which exist in Win32:

• RtlSecureZeroMemory
• RtlExpandEnvironmentStrings
• NtPrivilegeCheck
• ...

I understand that some specific functions are not available in Win32, but why use all the other functions through ntdll?

 (Get-ScheduledTask GatherNetworkInfo).Actions[0]


Id               :
Arguments        :
Execute          : %windir%\system32\gatherNetworkInfo.vbs
WorkingDirectory : $(Arg1)
PSComputerName   :

DisplayName         :
GroupId             : Users
Id                  : AnyUser
LogonType           : Group
RunLevel            : Highest
UserId              :
ProcessTokenSidType : Default
RequiredPrivilege   :
PSComputerName      :

It can be abused with the same way as DiskCleanup (https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/methods/tyranid.c#L37)

anybody notice WD has blacklist almost all UAC techniques from executing?

Can't be unzipped.

Quoted from bytecode77/slui-file-handler-hijack-privilege-escalation:

Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. Due to the registry key being accessible from user mode, an arbitrary executable file can be injected.

But in the actual test, the registry key slui.exe accessed is HKCR\exefile\shell\open\command not the one mentioned by bytecode77. After changing the value of the HKCR one to cmd.exe, cmd window (Medium IL) shown after slui.exe is executed.

Environment:

Hi,

I'm trying to compile the latest Akagi project on Windows 10 64 bit Build 17134.648 using Visual Studio 2015 14.0.25123.00 Update 2. I get 174 compile errors that all seemingly stem from a single line of code in shared/ntos.h: line 9071 where VS complains that "identifier PMEM_EXTENDED_PARAMETER is undefined".

By Googling that type name I found https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-mem_extended_parameter which says that the type should be defined in winnt.h. If past experience serves me correctly, this header should never be included directly; rather windows.h should be included instead (I don't understand how this works since windows.h doesn't include winnt.h directly, but it has always worked for me in the past). This is done in the project's global.h. So what gives??

I've followed the build instructions to the letter (set "Platform Toolset" to v140 and "Target Platform Version" to 8.1 in project properties) but since that aforementioned MS docs page says that Windows 10 is required, I'm guessing that the latter option should be set to 10.0.17134 as suggested for VS 2017, and that the appropriate SDK is required. I'm downloading the SDK as we speak to test this, but thought I'd create an issue here in the meantime, to alert others of the issue if nothing else.

Anyway going back to the instructions for VS 2015, I have the 8.1 SDK installed at C:\Program Files (x86)\Windows Kits\8.1 and the include directories are all setup properly in VS (I am sure of this as other projects targeting the same SDK work fine). The external dependencies (all 216 of them!) show up fine under that node of the solution explorer, yet I'm still having this incredibly-infuriating problem!

As a quick aside, I always seem to have this kind of problem when compiling a large GitHub-hosted project myself, and as such I wish there would be precompiled binaries provided in the repo AS WELL AS the source code. It makes life infinitely-easier for people like me who always seem to be missing one or two crucial system headers.

MTIA to anyone who can shine some light on this! :-)

Hello,

Seems the 32 Bit version has been removed from the bin folder ?

Kind Regards

Since Windows 10 v1803, the ucmMethodSluiHijack has been patched. Upon execution,it opens Windows settings with a dialog box prompting for a Windows Key.

Please add a possibility to customise the elevated command.

Compiled the source code on Windows 7, copied the executable to Windows 10 and the executable refuses to launch ("The program can't start because ucrtbased.dll is missing from your computer. Try reinstalling the program to fix this problem.").

Also small side note, are there any current UAC exploits that do not require an administrator token to function?

Thanks.

References: https://github.com/DimopoulosElias/alpc-mmc-uac-bypass

1. Everything based on user manipulations with program UI, shell dialogs, e.g. OpenDialog, SaveDialog from elevated application. This is not UAC bypass as it require massive user interactions with UI and target applications have High Integrity preventing GUI hacking. Consider everything like this as just a trash for social media hype. Example #28. The only exception to this is Forshaw method 55 as it provides an original way to circumvent UIPI and do the automation with minimum UI interactions.

2. "UAC bypasses" involving manual writing to HKEY_LOCAL_MACHINE. You either force this your own or this is exploit that needs to be patched.

3. UAC bypasses based on switching one DLL name to another while core method stay the same.
   E.g. https://github.com/Cn33liz/TpmInitUACAnniversaryBypass. The exception can only be made if the previous target is no longer work or this is used in ITW malware (e.g. various sysprep dll combinations, Pitou method).

4. Copy-paste "UAC bypasses" - that having no purpose except show off in twitter/any other social media, is when author takes something already known (not even his origin) and reinvents the wheel for public post, e.g. #55

5. Everything patched by MS Bulletin as part of exploit patch with exception if it was previously used in malware. E.g. Sandworm method.

6. Methods that only work on Windows Server. This obviously do not make any sense.

I have tried method 35 which was about token manipulation and it was successful to elevate. However, some exe files in my computer are not working properly anymore. Example: sdiagnhost.exe. How can I solve this? I think it is about registry. Please help me. Thank you.

I think method 47 doesn't work on Windows 10 17134.165. It just opens eventvwr.