TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Google Project Zero

Bypassing Administrator Protection by Abusing UI Access

James Forshaw · 2026-02-12 · Read original ↗

ATT&CK techniques detected

48 predictions
T1055.001Dynamic-link Library Injection
100%
“\ osk. exe which would be a permitted secure directory. however, z : \ osk. exe would then be passed as lpapplicationname to createprocessasuser. what use is this? the new process needs a base directory from where it ’ ll check for local dll loads, and the createprocessasuser api…”
T1548.002Bypass User Account Control
99%
“bypassing administrator protection by abusing ui access in my last blog post i introduced the new windows feature, administrator protection and how it aimed to create a secure boundary for uac where one didn ’ t exist. i described one of the ways i was able to bypass the feature …”
T1548.002Bypass User Account Control
99%
“code execution in a ui access process, one was a publicly known bypass while the other was a toctou in the handling of the path to the executable file. the public bypass was described by myself in a blog post about using my powershell tooling to call local rpc methods. the exampl…”
T1548.002Bypass User Account Control
99%
“get code execution in a high integrity level process, with ui access enabled or not, then you can leverage that to bypass administrator protection. hopefully anything which is now found allowing code execution in a ui access process is a serviceable security vulnerability and wil…”
T1548.002Bypass User Account Control
98%
“ways to get arbitrary code executing as a high integrity level ui access process. while microsoft had made it clear that they were not a priority to be fixed, they sometimes were. let ’ s break it down in a series of categories with some historical detail as well as my more recen…”
T1548.002Bypass User Account Control
98%
“of exploiting this behavior. a simple way of inspecting for potential exploitable behavior is to run process monitor and capture events accessing the limited user ’ s registry hive or profile directory. it ’ s also possible to hijack things like the user ’ s c : drive mapping as …”
T1548.002Bypass User Account Control
98%
“be in a secure location. of course to do this you ’ d need a code signing certificate but that isn ’ t as big of a challenge as it seems. you might even be able to slip the signed ui access executable file into a store application if you were so inclined. but this is now fixed as…”
T1548.002Bypass User Account Control
98%
“##c encouraged running processes at different privilege levels on the same desktop, microsoft introduced an additional feature, user interface privacy isolation ( uipi ). this used the mandatory integrity control feature in uac to limit what windows a process could interact with.…”
T1548.002Bypass User Account Control
97%
“if all the criteria are met then when the process is launched via railaunchadminprocess the service will take a copy of the caller ’ s access token, enable the ui access flag and increase the integrity level as follows based on the caller : if the caller is a limited user of an u…”
T1134Access Token Manipulation
96%
“integrity level of the token which do not go through ntsetinformationtoken and thus do not end up disabling the ui access flag. one option was the creation of an app container token via the ntcreatelowboxtoken system call. this will set the integrity level to low which will allow…”
T1548.002Bypass User Account Control
96%
“, but what about the new and improved administrator protection? exactly the same as for the existing admin - approval uac. the ui access process will run under the caller ’ s token, which in this case will be the limited user, not the shadow administrator. the process will have t…”
T1548.002Bypass User Account Control
95%
“, which seems to be an optional component but is installed by default on windows 11. it abused the fact that the quick assist application would load the webview2 apis to display html content. webview2 would look in the user ’ s hive for an overridable installation location to loa…”
T1055.001Dynamic-link Library Injection
95%
“so i reported that as a separate issue. if we ignore the issue in handling environment variables, we can abuse this task as it ’ ll create a window when the process runs, so we just setup a hook, start the task, wait for your hook dll to be loaded by the cleanmgr. exe process and…”
T1134Access Token Manipulation
94%
“preventing a limited user from injecting code into the new process and by extension getting access to the ui access flag. as an aside, you can disable the ui access flag on the token without tcb privilege. a valid ui access process running as a normal user can “ ratchet ” itself …”
T1548.002Bypass User Account Control
93%
“engineer. you can use my powershell tools to find executable files which have the uiaccess manifest option set to true. ps > $ paths = " c : \ windows ", " c : \ program files ", " c : \ program files ( x86 ) " ps > get - childitem - path $ paths - include *. exe - recurse | % { …”
T1548.002Bypass User Account Control
91%
“longer interact with administrator processes created on the desktop. it would be blocked from both reading the contents of windows as well as performing operations such as clicking a button. this was not an acceptable compromise, so vista needed a way to allow these applications …”
T1053.005Scheduled Task
91%
“administrator. we need a task that is enabled, can be started by the limited user and runs with administrator privileges. we can use my powershell tools get - accessiblescheduledtask command to find one : ps > get - accessiblescheduledtask - access execute |? { $ _. allowdemandst…”
T1134Access Token Manipulation
91%
“resuming the process. access token stealing the final category i ’ ll mention is access token stealing. this is somewhat different from the others as you commonly can ’ t get high integrity level from it, instead you get a process with the ui access flag enabled which can be used…”
T1055.001Dynamic-link Library Injection
90%
“railaunchadminprocess rpc method has a very similar set of parameters to the createprocessasuser api that ’ s ultimately called to create the new process. this includes having a separate string representing the path to the executable to create and the command line to pass to the …”
T1055.001Dynamic-link Library Injection
87%
“process, it would run with a high integrity level and could take over any administrator process that contains a window. a service process with a system integrity level could only be interacted with using windows messages. but there ’ s no security boundary between an administrato…”
T1134.002Create Process with Token
87%
“resuming the process. access token stealing the final category i ’ ll mention is access token stealing. this is somewhat different from the others as you commonly can ’ t get high integrity level from it, instead you get a process with the ui access flag enabled which can be used…”
T1134Access Token Manipulation
85%
“longer interact with administrator processes created on the desktop. it would be blocked from both reading the contents of windows as well as performing operations such as clicking a button. this was not an acceptable compromise, so vista needed a way to allow these applications …”
T1548.002Bypass User Account Control
84%
“##sasuser api used by the uac service doesn ’ t need a specific file extension for the executable file to be used. if you find a directory then you can just copy the executable file into that location. on a default installation there doesn ’ t seem to be any location that ’ s not…”
T1548.002Bypass User Account Control
82%
“administrator process through the railaunchadminprocess rpc call. when a ui access process is created through this rpc call it does not show the consent prompt unlike administrator elevation. this is important as otherwise there was a risk that a user couldn ’ t create the access…”
T1548.002Bypass User Account Control
78%
“preventing a limited user from injecting code into the new process and by extension getting access to the ui access flag. as an aside, you can disable the ui access flag on the token without tcb privilege. a valid ui access process running as a normal user can “ ratchet ” itself …”
T1548.002Bypass User Account Control
73%
“of a limited user process. it doesn ’ t filter out excluded directories, so you ’ d have to check yourself. ps > $ paths = " c : \ windows ", " c : \ program files ", " c : \ program files ( x86 ) " ps > get - accessiblefile - win32path $ paths - access execute, writedata ` - dir…”
T1548.002Bypass User Account Control
73%
“integrity level of the token which do not go through ntsetinformationtoken and thus do not end up disabling the ui access flag. one option was the creation of an app container token via the ntcreatelowboxtoken system call. this will set the integrity level to low which will allow…”
T1134Access Token Manipulation
71%
“code execution in a ui access process, one was a publicly known bypass while the other was a toctou in the handling of the path to the executable file. the public bypass was described by myself in a blog post about using my powershell tooling to call local rpc methods. the exampl…”
T1055.001Dynamic-link Library Injection
69%
“preventing a limited user from injecting code into the new process and by extension getting access to the ui access flag. as an aside, you can disable the ui access flag on the token without tcb privilege. a valid ui access process running as a normal user can “ ratchet ” itself …”
T1546.008Accessibility Features
66%
“of exploiting this behavior. a simple way of inspecting for potential exploitable behavior is to run process monitor and capture events accessing the limited user ’ s registry hive or profile directory. it ’ s also possible to hijack things like the user ’ s c : drive mapping as …”
T1134.002Create Process with Token
66%
“integrity level of the token which do not go through ntsetinformationtoken and thus do not end up disabling the ui access flag. one option was the creation of an app container token via the ntcreatelowboxtoken system call. this will set the integrity level to low which will allow…”
T1546.008Accessibility Features
65%
“engineer. you can use my powershell tools to find executable files which have the uiaccess manifest option set to true. ps > $ paths = " c : \ windows ", " c : \ program files ", " c : \ program files ( x86 ) " ps > get - childitem - path $ paths - include *. exe - recurse | % { …”
T1134.004Parent PID Spoofing
64%
“longer interact with administrator processes created on the desktop. it would be blocked from both reading the contents of windows as well as performing operations such as clicking a button. this was not an acceptable compromise, so vista needed a way to allow these applications …”
T1548.002Bypass User Account Control
63%
“process, it would run with a high integrity level and could take over any administrator process that contains a window. a service process with a system integrity level could only be interacted with using windows messages. but there ’ s no security boundary between an administrato…”
T1134Access Token Manipulation
61%
“, but what about the new and improved administrator protection? exactly the same as for the existing admin - approval uac. the ui access process will run under the caller ’ s token, which in this case will be the limited user, not the shadow administrator. the process will have t…”
T1134Access Token Manipulation
59%
“, which seems to be an optional component but is installed by default on windows 11. it abused the fact that the quick assist application would load the webview2 apis to display html content. webview2 would look in the user ’ s hive for an overridable installation location to loa…”
T1574.001DLL
52%
“. i found a bypass for the check back in 2017 and reported it to msrc. the check didn ’ t take into account that it ’ s possible to write an ntfs named stream to a directory if the limited user has write access to that directory. for example the directory c : \ windows \ tracing …”
T1055.001Dynamic-link Library Injection
51%
“. i found a bypass for the check back in 2017 and reported it to msrc. the check didn ’ t take into account that it ’ s possible to write an ntfs named stream to a directory if the limited user has write access to that directory. for example the directory c : \ windows \ tracing …”
T1546.008Accessibility Features
49%
“bypassing administrator protection by abusing ui access in my last blog post i introduced the new windows feature, administrator protection and how it aimed to create a secure boundary for uac where one didn ’ t exist. i described one of the ways i was able to bypass the feature …”
T1134.002Create Process with Token
48%
“preventing a limited user from injecting code into the new process and by extension getting access to the ui access flag. as an aside, you can disable the ui access flag on the token without tcb privilege. a valid ui access process running as a normal user can “ ratchet ” itself …”
T1134.004Parent PID Spoofing
48%
“, which seems to be an optional component but is installed by default on windows 11. it abused the fact that the quick assist application would load the webview2 apis to display html content. webview2 would look in the user ’ s hive for an overridable installation location to loa…”
T1134.001Token Impersonation/Theft
44%
“resuming the process. access token stealing the final category i ’ ll mention is access token stealing. this is somewhat different from the others as you commonly can ’ t get high integrity level from it, instead you get a process with the ui access flag enabled which can be used…”
T1134.004Parent PID Spoofing
39%
“integrity level of the token which do not go through ntsetinformationtoken and thus do not end up disabling the ui access flag. one option was the creation of an app container token via the ntcreatelowboxtoken system call. this will set the integrity level to low which will allow…”
T1548.002Bypass User Account Control
38%
“administrator. we need a task that is enabled, can be started by the limited user and runs with administrator privileges. we can use my powershell tools get - accessiblescheduledtask command to find one : ps > get - accessiblescheduledtask - access execute |? { $ _. allowdemandst…”
T1055.003Thread Execution Hijacking
37%
“preventing a limited user from injecting code into the new process and by extension getting access to the ui access flag. as an aside, you can disable the ui access flag on the token without tcb privilege. a valid ui access process running as a normal user can “ ratchet ” itself …”
T1134.002Create Process with Token
37%
“longer interact with administrator processes created on the desktop. it would be blocked from both reading the contents of windows as well as performing operations such as clicking a button. this was not an acceptable compromise, so vista needed a way to allow these applications …”
T1548Abuse Elevation Control Mechanism
36%
“bypassing administrator protection by abusing ui access in my last blog post i introduced the new windows feature, administrator protection and how it aimed to create a secure boundary for uac where one didn ’ t exist. i described one of the ways i was able to bypass the feature …”
T1055.001Dynamic-link Library Injection
33%
“, which seems to be an optional component but is installed by default on windows 11. it abused the fact that the quick assist application would load the webview2 apis to display html content. webview2 would look in the user ’ s hive for an overridable installation location to loa…”

Summary

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed. In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that’s been under-appreciated, and how it’s being fixed now. A Question of Accessibility Prior to Windows Vista any process running on a user’s desktop could control any window created by another, such as by sending window messages. This behavior could be abused if a privileged user, such as SYSTEM, displayed a user interface on the desktop. A limited user could control the UI and potentially elevate privileges. This was referred to as a Shatter Attack, and was usually fixed by removing user interface components from privileged code.