Security flaw in Windows 10 UAC can change your system files and settings

Edward Hudson By: Edward Hudson
2 minute read

Home » Security flaw in Windows 10 UAC can change your system files and settings

While the User Access Control for Windows 10 is designed with security in mind, a new UAC bypass technique discovered by security researcher Matt Nelson renders the security measure useless. The hack relies on modifying the Windows registry app paths and manipulating the Backup and Restore utility to load malicious code into the system.

How it works

The bypass strategy takes advantage of Microsoft’s auto-elevation status that is assigned to trusted binaries, which are created and digitally signed by the software giant. That means the trusted binaries don’t display a UAC window when launched despite the security level. Nelson further explained in his blog:

While searching for more of these auto-elevating binaries by using the SysInternals tool “sigcheck“, I came across “sdclt.exe” and verified that it auto-elevates due to its manifest.

When observing the execution flow of sdclt.exe, it becomes apparent that this binary starts control.exe in order to open up a Control Panel item in high-integrity context.

The sdclt.exe binary is the built-in Backup and Restore utility that Microsoft introduced with Windows 7. Nelson explained that the sdclt.exe file uses the Control Panel binary to load the Backup and Restore settings page when a user opens the utility.

However, sdclt.exe sends a query to the local Windows Registry to obtain the control.exe’s app path before it loads control.exe. The researcher acknowledges the fact that this poses a problem as users with low privilege level can still modify registry keys. More to the point, attackers can alter this registry key and point it to malware. Windows would then trust the app and withdraw UAC prompts since sdclt.exe is auto-elevated.

It is worth pointing out that the bypass technique applies only to Windows 10. Nelson even tested the hack on Windows 10 build 15031. To address the security flaw, the researcher recommends that users set the UAC level to “Always Notify” or remove the current user from the Local Administrators group.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

What to do if your deleted emails are coming back in Outlook 2016

Sovan Mandal avatar. By: Sovan Mandal
4 minute read

Emails are wonderful as they enable us to discuss things in detail. While it’s true chatting platforms help us discuss things in real time, that […]

Continue Reading

Windows 10 build 18298 breaks audio, causes GSOD and more

Madeleine Dean By: Madeleine Dean
2 minute read

Folks, there’s a new Windows 10 Insider Preview build in town. This release packs many interesting new features and bug fixes, but as always, it […]

Continue Reading

5 best DJ software to use without an external controller

Vladimir Popescu avatar. By: Vladimir Popescu
Less than a 1 minute read

In the past, DJs used to carry large crates of vinyl records and spent hours at the records store choosing their music one vinyl at […]

Continue Reading