Update

After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick 🙂

You can follow the twitter convos here. I’ll update the post once I know more.

Old Post

I recently discovered a really funny way to bypass UAC and launch any process with High Mandatory Level.

This is how to reproduce it:

• As a regular user launch cmd.exe.
• Confirm the integrity level:

C:\test>WHOAMI /Groups | FIND "S-1-16"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192

• Launch: sdclt /configure

• The sdclt.exe program is auto-elevated
• Walk through the wizard and back up some files; in my case I created a dummy folder c:\test with a small number of files and backed it up
• Let it finish

• Now that we have a backup, let’s go to the list of Backups so we can restore some files

• Choose the backup, then search for c:\test and tick it so you can restore it (it’s all about a small set so we can do it quickly, but you can choose any backup & restore really)

• Restore files; you should be presented with a panel; it is important that at least _some_ files are restored so we can see the logs

• Click View Log file
• This will launch Notepad.exe with elevated privileges
• In Notepad, go to menu File -> Open -> c:\windows\system32
• Type cmd*.* so we can see cmd.exe on the list
• Right click on cmd.exe, hit Open
• cmd.exe will open –
• it has S-1-16-12288/High Mandatory Level/A high integrity level.
  C:\Windows\System32>WHOAMI /Groups | FIND "S-1-16"
  Mandatory Label\High Mandatory Level Label S-1-16-12288
• Launch any program you want – it will be on a High Mandatory integrity level