1then UAC is activated, if its
0or it doesn't exist, then UAC is inactive.
0then, UAC won't prompt (like disabled)
1the admin is asked for username and password to execute the binary with high rights (on Secure Desktop)
2(Always notify me) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
1but not necessary on Secure Desktop
2but not necessary on Secure Desktop
5(default) it will ask the administrator to confirm to run non Windows binaries with high privileges
LocalAccountTokenFilterPolicyIf the value is
0, then, only the RID 500 user (built-in Administrator) is able to perform admin tasks without UAC, and if its
1, all accounts inside "Administrators" group can do them.
0(default), the built-in Administrator account can do remote administration tasks and if
1the built-in account Administrator cannot do remote administration tasks, unless
LocalAccountTokenFilterPolicyis set to
EnableLUA=0or doesn't exist, no UAC for anyone
LocalAccountTokenFilterPolicy=1, No UAC for anyone
FilterAdministratorToken=0, No UAC for RID 500 (Built-in Administrator)
FilterAdministratorToken=1, UAC for everyone
0) you can execute a reverse shell with admin privileges (high integrity level) using something like:
cipher /dinside a folder to encrypt and decrypt all the files
meterpretersessions you can impersonate the token of the process of the user (
incognito). Or you could just
migrateto process of the user.