[r3shl4k1sh]

The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven

[EP_X0FF]

Russian "l33t" magazine released paper incorporating this thread

_https://xakep.ru/2016/11/10/fuck-uac/

They have a paid subscription and to read whole article you need to subscrible. Do not pay them any money, fuck them -> read original full story here for free.

[EP_X0FF]

15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.

[EP_X0FF]

The following article gives another method to defeat the UAC using environment variables:
http://breakingmalware.com/vulnerabilit ... expansion/

POC:
https://github.com/BreakingMalwareResearch/eleven

Comet embedded into UACMe as method 24, well lets see if MS will finally discover and fix it. All credits to original authors.

[EP_X0FF]

Enigma0x3 method integrated as #25, more information about this simple and cute method can be found here https://enigma0x3.net/2016/08/15/filele ... hijacking/. It is already used by script-kiddie malware ITW. Also this method was "tweaked" to work on 15007 rs2 build which introduced Microsoft failed attempt to fix it.

[EP_X0FF]

15007 (presumable, 15002 not checked) bring long awaited changes in the IFileOperation interface. For now attempts to create/copy/move to files in Windows and it subdirectories will result in E_ACCESSDENIED no matter if you do this from faked process or from code injected to the Explorer process. Additionally it seems it is no longer possible to create subdirectories in Windows without having full admin rights. Because IFileOperation is critical to UAC bypass (Middle->High) scheme you may consider every "method" based on it now dead. IFileOperation however still autoelevated which means these changes are special restrictions added to fight UAC bypass.

Updated UACMe with working again 20, 21, 22, 23 methods will be published tomorrow. It turned I overestimated Microsoft changes.

Edit: UACMe updated and now able deliver again.

[EP_X0FF]

Enigma0x3 DiskCleanup method integrated in UACMe as #26. Works on Windows 10 only.

[EP_X0FF]

http://www.freebuf.com/articles/system/116611.html

Candidate to be #27

[EP_X0FF]

Microsoft changed CompMgmtLauncher.exe in RS2 build 15031 by dropping it autoelevation and requestedExecutionLevel to asInvoker thus effectively kill Comet and Enigma0x3 UAC bypasses.

[EP_X0FF]

Additionally cleanmgr.exe now sets file "Read" security permission for current user when it copy dismhost related files to %temp%. With this change it is now impossible to overwrite these files without elevation (IFileOperation), thus killing Enigma0x3 method main advantage -> when you was able to bypass UAC silently even with "AlwaysNotify" setting.