Security flaw in Windows 10 UAC can change your system files and settings

Edward Hudson By: Edward Hudson
2 minute read

Home » News » Security flaw in Windows 10 UAC can change your system files and settings

While the User Access Control for Windows 10 is designed with security in mind, a new UAC bypass technique discovered by security researcher Matt Nelson renders the security measure useless. The hack relies on modifying the Windows registry app paths and manipulating the Backup and Restore utility to load malicious code into the system.

How it works

The bypass strategy takes advantage of Microsoft’s auto-elevation status that is assigned to trusted binaries, which are created and digitally signed by the software giant. That means the trusted binaries don’t display a UAC window when launched despite the security level. Nelson further explained in his blog:

While searching for more of these auto-elevating binaries by using the SysInternals tool “sigcheck“, I came across “sdclt.exe” and verified that it auto-elevates due to its manifest.

When observing the execution flow of sdclt.exe, it becomes apparent that this binary starts control.exe in order to open up a Control Panel item in high-integrity context.

The sdclt.exe binary is the built-in Backup and Restore utility that Microsoft introduced with Windows 7. Nelson explained that the sdclt.exe file uses the Control Panel binary to load the Backup and Restore settings page when a user opens the utility.

However, sdclt.exe sends a query to the local Windows Registry to obtain the control.exe’s app path before it loads control.exe. The researcher acknowledges the fact that this poses a problem as users with low privilege level can still modify registry keys. More to the point, attackers can alter this registry key and point it to malware. Windows would then trust the app and withdraw UAC prompts since sdclt.exe is auto-elevated.

It is worth pointing out that the bypass technique applies only to Windows 10. Nelson even tested the hack on Windows 10 build 15031. To address the security flaw, the researcher recommends that users set the UAC level to “Always Notify” or remove the current user from the Local Administrators group.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

Cisco VPN Client won’t install on Windows 10? Here’s a guaranteed fix

Vladimir Popescu avatar. By: Vladimir Popescu
2 minute read

Cisco VPN is a great virtual private network software, but many users reported that Cisco VPN Client won’t install on their PC at all. This […]

Continue Reading

Install KB4499177 if you want to fix icon loading issues

Rabia Noureen avatar. By: Rabia Noureen
2 minute read

Microsoft 7rolled out a new cumulative update for Windows Server 2016 and Windows 10 version 1607. This recent release bumps the current version of OS […]

Continue Reading

iSpy issues on Windows 10 and how to fix them

Milan Stanojevic avatar. By: Milan Stanojevic
5 minute read

Security of your home is important, and many people tend to use surveillance cameras in order to protect their home. If you have a security […]

Continue Reading