1
then UAC is activated, if its 0
or it doesn't exist, then UAC is inactive.ConsentPromptBehaviorAdmin
**in the same entry of the registry as before (info from here):0
then, UAC won't prompt (like disabled)1
the admin is asked for username and password to execute the binary with high rights (on Secure Desktop)2
(Always notify me) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)3
like 1
but not necessary on Secure Desktop4
like 2
but not necessary on Secure Desktop5
(default) it will ask the administrator to confirm to run non Windows binaries with high privilegesLocalAccountTokenFilterPolicy
If the value is 0
, then, only the RID 500 user (built-in Administrator) is able to perform admin tasks without UAC, and if its 1
, all accounts inside "Administrators" group can do them.FilterAdministratorToken
If 0
(default), the built-in Administrator account can do remote administration tasks and if 1
the built-in account Administrator cannot do remote administration tasks, unless LocalAccountTokenFilterPolicy
is set to 1
.EnableLUA=0
**or doesn't exist, no UAC for anyoneEnableLua=1
** and LocalAccountTokenFilterPolicy=1
, No UAC for anyoneEnableLua=1
** and LocalAccountTokenFilterPolicy=0
** and ** FilterAdministratorToken=0
, No UAC for RID 500 (Built-in Administrator)EnableLua=1
** and LocalAccountTokenFilterPolicy=0
** and ** FilterAdministratorToken=1
, UAC for everyonepost/windows/gather/win_privs
ConsentPromptBehaviorAdmin
**is 0
) you can execute a reverse shell with admin privileges (high integrity level) using something like:C:\users\<username>\appdata\roaming\Microsoft\Protect
cipher /e
and cipher /d
inside a folder to encrypt and decrypt all the filesmeterpreter
sessions you can impersonate the token of the process of the user (impersonate_token
from incognito
). Or you could just migrate
to process of the user.