[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-6343":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":14,"starSnapshotCount":14,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},6343,"UACME","hfiref0x\u002FUACME","hfiref0x","Defeating Windows User Account Control",null,"C",7629,1423,271,0,1,17,74,9,40.46,"BSD 2-Clause \"Simplified\" License",false,"master",[24,25,26,27,28,29],"bypass-uac","c","dll-hijack","uac","uac-bypass","verifier","2026-06-12 02:01:18","[![Build status](https:\u002F\u002Fimg.shields.io\u002Fappveyor\u002Fbuild\u002Fhfiref0x\u002Fuacme?logo=appveyor)](https:\u002F\u002Fci.appveyor.com\u002Fproject\u002Fhfiref0x\u002Fuacme)\n![Visitors](https:\u002F\u002Fapi.visitorbadge.io\u002Fapi\u002Fvisitors?path=https%3A%2F%2Fgithub.com%2Fhfiref0x%2Fuacme&countColor=%23263759&style=flat)\n\n# UACMe\nDefeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project demonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows security mechanisms.\n\n> ⚠️ **Warning**: This tool demonstrates security vulnerabilities that could be exploited maliciously. Use responsibly and only in controlled environments.\n\n# System Requirements\n\n* **Operating Systems**: Windows 7\u002F8\u002F8.1\u002F10\u002F11 (x86-32\u002Fx64, client, some methods however works on server version too)\n* **User Account**: Administrator account with UAC set on default settings\n\n## Usage\n\nRun the executable from command line using the following syntax:\n\n```\nakagi32.exe [Method_Number] [Optional_Command]\n```\nor\n```\nakagi64.exe [Method_Number] [Optional_Command]\n```\n### Parameters:\n* **Method_Number**: Number corresponding to the UAC bypass method (see Methods List below)\n* **Optional_Command**: Full path to an executable file to run with elevated privileges\n * If omitted, the program will launch an elevated command prompt (%systemroot%\\system32\\cmd.exe)\n\n### Examples:\n```\nakagi32.exe 23\nakagi64.exe 61\nakagi32.exe 23 c:\\windows\\system32\\calc.exe\nakagi64.exe 61 c:\\windows\\system32\\charmap.exe\n```\n\n\n> **Note**: Since version 3.5.0, all previously \"fixed\" methods are considered obsolete and have been removed. If you need them, use [v3.2.x branch](https:\u002F\u002Fgithub.com\u002Fhfiref0x\u002FUACME\u002Ftree\u002Fv3.2.x).\n\n\u003Cdetails>\n \u003Csummary>Keys (click to expand\u002Fcollapse)\u003C\u002Fsummary>\n\n1. Author: Leo Davidson\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): cryptbase.dll\n * Implementation: ucmStandardAutoElevation \n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest elements\n * Code status: removed starting from v3.5.0 :tractor:\n2. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): ShCore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 TP (> 9600)\n * How: Side effect of ShCore.dll moving to \\KnownDlls\n * Code status: removed starting from v3.5.0 :tractor:\n3. Author: Leo Davidson derivative by WinNT\u002FPitou\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\oobe\\setupsqm.exe\n * Component(s): WdsCore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10558)\n * How: Side effect of OOBE redesign\n * Code status: removed starting from v3.5.0 :tractor:\n4. Author: Jon Ericson, WinNT\u002FGootkit, mzH\n * Type: AppCompat\n * Method: RedirectEXE Shim\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): -\n * Implementation: ucmShimRedirectEXE\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TP (> 9600)\n * How: Sdbinst.exe autoelevation removed, KB3045645\u002FKB3048097 for rest Windows versions\n * Code status: removed starting from v3.5.0 :tractor:\n5. Author: WinNT\u002FSimda\n * Type: Elevated COM interface\n * Method: ISecurityEditor\n * Target(s): HKLM registry keys\n * Component(s): -\n * Implementation: ucmSimdaTurnOffUac\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: ISecurityEditor interface method changed\n * Code status: removed starting from v3.5.0 :tractor:\n6. Author: Win32\u002FCarberp\n * Type: Dll Hijack\n * Method: WUSA\n * Target(s): \\ehome\\mcx2prov.exe, \\system32\\migwiz\\migwiz.exe\n * Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll\n * Implementation: ucmWusaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA \u002Fextract option removed\n * Code status: removed starting from v3.5.0 :tractor:\n7. Author: Win32\u002FCarberp derivative\n * Type: Dll Hijack\n * Method: WUSA\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): ntwdblib.dll\n * Implementation: ucmWusaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA \u002Fextract option removed\n * Code status: removed starting from v3.5.0 :tractor:\n8. Author: Leo Davidson derivative by Win32\u002FTilon\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): Actionqueue.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest\n * Code status: removed starting from v3.5.0 :tractor:\n9. Author: Leo Davidson, WinNT\u002FSimda, Win32\u002FCarberp derivative\n * Type: Dll Hijack\n * Method: IFileOperation, ISecurityEditor, WUSA\n * Target(s): IFEO registry keys, \\system32\\cliconfg.exe\n * Component(s): Attacker defined Application Verifier Dll\n * Implementation: ucmAvrfMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH1 (10147)\n * How: WUSA \u002Fextract option removed, ISecurityEditor interface method changed\n * Code status: removed starting from v3.5.0 :tractor:\n10. Author: WinNT\u002FPitou, Win32\u002FCarberp derivative\n * Type: Dll Hijack\n * Method: IFileOperation, WUSA\n * Target(s): \\system32\\\\{New}or{Existing}\\\\{autoelevated}.exe, e.g. winsat.exe\n * Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll\n * Implementation: ucmWinSATMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10548) \n * How: AppInfo elevated application path control hardening\n * Code status: removed starting from v3.5.0 :tractor:\n11. Author: Jon Ericson, WinNT\u002FGootkit, mzH\n * Type: AppCompat\n * Method: Shim Memory Patch\n * Target(s): \\system32\\iscsicli.exe\n * Component(s): Attacker prepared shellcode\n * Implementation: ucmShimPatch\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: Sdbinst.exe autoelevation removed, KB3045645\u002FKB3048097 for rest Windows versions\n * Code status: removed starting from v3.5.0 :tractor:\n12. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): dbgcore.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 TH2 (10565)\n * How: sysprep.exe manifest updated\n * Code status: removed starting from v3.5.0 :tractor:\n13. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe EventVwr.msc\n * Component(s): elsext.dll\n * Implementation: ucmMMCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: Missing dependency removed\n * Code status: removed starting from v3.5.0 :tractor:\n14. Author: Leo Davidson, WinNT\u002FSirefef derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system\\credwiz.exe, \\system32\\wbem\\oobe.exe\n * Component(s): netutils.dll\n * Implementation: ucmSirefefMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 TH2 (10548)\n * How: AppInfo elevated application path control hardening\n * Code status: removed starting from v3.5.0 :tractor:\n15. Author: Leo Davidson, Win32\u002FAddrop, Metasploit derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\cliconfg.exe\n * Component(s): ntwdblib.dll\n * Implementation: ucmGenericAutoelevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: Cliconfg.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n16. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\GWX\\GWXUXWorker.exe, \\system32\\inetsrv\\inetmgr.exe\n * Component(s): SLC.dll\n * Implementation: ucmGWX\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14316)\n * How: AppInfo elevated application path control and inetmgr executable hardening\n * Code status: removed starting from v3.5.0 :tractor:\n17. Author: Leo Davidson derivative\n * Type: Dll Hijack (Import forwarding)\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): unbcl.dll\n * Implementation: ucmStandardAutoElevation2\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 RS1 (14371)\n * How: sysprep.exe manifest updated\n * Code status: removed starting from v3.5.0 :tractor:\n18. Author: Leo Davidson derivative\n * Type: Dll Hijack (Manifest)\n * Method: IFileOperation\n * Target(s): \\system32\\taskhost.exe, \\system32\\tzsync.exe (any ms exe without manifest)\n * Component(s): Attacker defined\n * Implementation: ucmAutoElevateManifest\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14371)\n * How: Manifest parsing logic reviewed\n * Code status: removed starting from v3.5.0 :tractor:\n19. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\inetsrv\\inetmgr.exe\n * Component(s): MsCoree.dll\n * Implementation: ucmInetMgrMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14376)\n * How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images\n * Code status: removed starting from v3.5.0 :tractor:\n20. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe, Rsop.msc\n * Component(s): WbemComn.dll\n * Implementation: ucmMMCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16232)\n * How: Target requires wbemcomn.dll to be signed by MS\n * Code status: removed starting from v3.5.0 :tractor:\n21. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation, SxS DotLocal\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): comctl32.dll\n * Implementation: ucmSXSMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16232)\n * How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images\n * Code status: removed starting from v3.5.0 :tractor:\n22. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation, SxS DotLocal\n * Target(s): \\system32\\consent.exe\n * Component(s): comctl32.dll\n * Implementation: ucmSXSMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.5.0\n23. Author: Leo Davidson derivative\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\pkgmgr.exe\n * Component(s): DismCore.dll\n * Implementation: ucmDismMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.5.1\n24. Author: BreakingMalware\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmCometMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15031)\n * How: CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n25. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\EventVwr.exe, \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmHijackShellCommandMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15031)\n * How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n26. Author: Enigma0x3\n * Type: Race Condition\n * Method: File overwrite\n * Target(s): %temp%\\GUID\\dismhost.exe\n * Component(s): LogProvider.dll\n * Implementation: ucmDiskCleanupRaceCondition\n * Works from: Windows 10 TH1 (10240)\n * AlwaysNotify compatible\n * Fixed in: Windows 10 RS2 (15031)\n * How: File security permissions altered\n * Code status: removed starting from v3.5.0 :tractor:\n27. Author: ExpLife\n * Type: Elevated COM interface\n * Method: IARPUninstallStringLauncher\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmUninstallLauncherMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16199)\n * How: UninstallStringLauncher interface removed from COMAutoApprovalList\n * Code status: removed starting from v3.5.0 :tractor:\n28. Author: Exploit\u002FSandworm\n * Type: Whitelisted component\n * Method: InfDefaultInstall\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSandwormMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)\n * Code status: removed starting from v3.5.0 :tractor:\n29. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmAppPathMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 RS3 (16215)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n30. Author: Leo Davidson derivative, lhc645\n * Type: Dll Hijack\n * Method: WOW64 logger\n * Target(s): \\syswow64\\\\{any elevated exe, e.g wusa.exe}\n * Component(s): wow64log.dll\n * Implementation: ucmWow64LoggerMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.0\n31. Author: Enigma0x3\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmSdcltIsolatedCommandMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: Windows 10 RS4 (17025)\n * How: Shell API \u002F Windows components update\n * Code status: removed starting from v3.5.0 :tractor:\n32. Author: xi-tauw\n * Type: Dll Hijack\n * Method: UIPI bypass with uiAccess application\n * Target(s): \\Program Files\\Windows Media Player\\osk.exe, \\system32\\EventVwr.exe, \\system32\\mmc.exe\n * Component(s): duser.dll, osksupport.dll\n * Implementation: ucmUiAccessMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.1\n33. Author: winscripting.blog\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\fodhelper.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.2\n34. Author: James Forshaw\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): \\system32\\svchost.exe via \\system32\\schtasks.exe\n * Component(s): Attacker defined\n * Implementation: ucmDiskCleanupEnvironmentVariable\n * Works from: Windows 8.1 (9600)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.2\n35. Author: CIA & James Forshaw\n * Type: Impersonation\n * Method: Token Manipulations\n * Target(s): Autoelevated applications\n * Component(s): Attacker defined\n * Implementation: ucmTokenModification\n * Works from: Windows 7 (7600)\n * AlwaysNotify compatible, see note\n * Fixed in: Windows 10 RS5 (17686)\n * How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added\n * Code status: removed starting from v3.5.0 :tractor:\n36. Author: Thomas Vanhoutte aka SandboxEscaper\n * Type: Race condition\n * Method: NTFS reparse point & Dll Hijack\n * Target(s): wusa.exe, pkgmgr.exe\n * Component(s): Attacker defined\n * Implementation: ucmJunctionMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.4\n37. Author: Ernesto Fernandez, Thomas Vanhoutte\n * Type: Dll Hijack\n * Method: SxS DotLocal, NTFS reparse point\n * Target(s): \\system32\\dccw.exe\n * Component(s): GdiPlus.dll\n * Implementation: ucmSXSDccwMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.5\n38. Author: Clement Rouault\n * Type: Whitelisted component\n * Method: APPINFO command line spoofing\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmHakrilMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.6\n39. Author: Stefan Kanthak\n * Type: Dll Hijack\n * Method: .NET Code Profiler\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCorProfilerMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.7\n40. Author: Ruben Boonen\n * Type: COM Handler Hijack\n * Method: Registry key manipulation\n * Target(s): \\system32\\mmc.exe, \\system32\\recdisc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCOMHandlersMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 19H1 (18362)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n41. Author: Oddvar Moe\n * Type: Elevated COM interface\n * Method: ICMLuaUtil\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmCMLuaUtilShellExecMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.7.9\n42. Author: BreakingMalware and Enigma0x3\n * Type: Elevated COM interface\n * Method: IFwCplLua\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmFwCplLuaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (17134)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n43. Author: Oddvar Moe derivative\n * Type: Elevated COM interface\n * Method: IColorDataProxy, ICMLuaUtil\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDccwCOMMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v2.8.3\n44. Author: bytecode77\n * Type: Shell API\n * Method: Environment variables expansion\n * Target(s): Multiple auto-elevated processes\n * Component(s): Various per target\n * Implementation: ucmVolatileEnvMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS3 (16299)\n * How: Current user system directory variables ignored during process creation\n * Code status: removed starting from v3.5.0 :tractor:\n45. Author: bytecode77\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\slui.exe\n * Component(s): Attacker defined\n * Implementation: ucmSluiHijackMethod\n * Works from: Windows 8.1 (9600)\n * Fixed in: Windows 10 20H1 (19041)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n46. Author: Anonymous\n * Type: Race Condition\n * Method: Registry key manipulation\n * Target(s): \\system32\\BitlockerWizardElev.exe\n * Component(s): Attacker defined\n * Implementation: ucmBitlockerRCMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (>16299)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n47. Author: clavoillotte & 3gstudent\n * Type: COM Handler Hijack\n * Method: Registry key manipulation\n * Target(s): \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmCOMHandlersMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 19H1 (18362)\n * How: Side effect of Windows changes\n * Code status: removed starting from v3.5.0 :tractor:\n48. Author: deroko\n * Type: Elevated COM interface\n * Method: ISPPLUAObject\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSPPLUAObjectMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763)\n * How: ISPPLUAObject interface method changed \n * Code status: removed starting from v3.5.0 :tractor:\n49. Author: RinN\n * Type: Elevated COM interface\n * Method: ICreateNewLink\n * Target(s): \\system32\\TpmInit.exe\n * Component(s): WbemComn.dll\n * Implementation: ucmCreateNewLinkMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS1 (14393) \n * How: Side effect of consent.exe COMAutoApprovalList introduction\n * Code status: removed starting from v3.5.0 :tractor:\n50. Author: Anonymous\n * Type: Elevated COM interface\n * Method: IDateTimeStateWrite, ISPPLUAObject\n * Target(s): w32time service\n * Component(s): w32time.dll\n * Implementation: ucmDateTimeStateWriterMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763)\n * How: Side effect of ISPPLUAObject interface change\n * Code status: removed starting from v3.5.0 :tractor:\n51. Author: bytecode77 derivative\n * Type: Elevated COM interface\n * Method: IAccessibilityCplAdmin\n * Target(s): \\system32\\rstrui.exe\n * Component(s): Attacker defined\n * Implementation: ucmAcCplAdminMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS4 (17134)\n * How: Shell API update\n * Code status: removed starting from v3.5.0 :tractor:\n52. Author: David Wells\n * Type: Whitelisted component\n * Method: AipNormalizePath parsing abuse\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDirectoryMockMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\t\t\n * Code status: added in v3.0.4\n53. Author: Emeric Nasi\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\sdclt.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.1.3\n54. Author: egre55\n * Type: Dll Hijack\n * Method: Dll path search abuse\n * Target(s): \\syswow64\\SystemPropertiesAdvanced.exe and other SystemProperties*.exe\n * Component(s): \\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll\n * Implementation: ucmEgre55Method\n * Works from: Windows 10 (14393)\n * Fixed in: Windows 10 19H1 (18362)\n * How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call\n * Code status: removed starting from v3.5.0 :tractor:\n55. Author: James Forshaw\n * Type: GUI Hack\n * Method: UIPI bypass with token modification\n * Target(s): \\system32\\osk.exe, \\system32\\msconfig.exe\n * Component(s): Attacker defined\n * Implementation: ucmTokenModUIAccessMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year\n * How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed\n * Code status: added in v3.1.5\n56. Author: Hashim Jawad\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\WSReset.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod2\n * Works from: Windows 10 (17134)\n * Fixed in: Windows 11 (22000)\n * How: Windows components redesign\n * Code status: removed starting from v3.5.7 :tractor:\n57. Author: Leo Davidson derivative by Win32\u002FGapz\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\sysprep\\sysprep.exe\n * Component(s): unattend.dll\n * Implementation: ucmStandardAutoElevation\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 8.1 (9600)\n * How: sysprep.exe hardened LoadFrom manifest elements\n * Code status: removed starting from v3.5.0 :tractor:\n58. Author: RinN\n * Type: Elevated COM interface\n * Method: IEditionUpgradeManager\n * Target(s): \\system32\\clipup.exe\n * Component(s): Attacker defined\n * Implementation: ucmEditionUpgradeManagerMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.0\n59. Author: James Forshaw\n * Type: AppInfo ALPC\n * Method: RAiLaunchAdminProcess and DebugObject\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmDebugObjectMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.3\n60. Author: Enigma0x3 derivative by WinNT\u002FGlupteba\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\CompMgmtLauncher.exe\n * Component(s): Attacker defined\n * Implementation: ucmGluptebaMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS2 (15063)\n * How: CompMgmtLauncher.exe autoelevation removed\n * Code status: removed starting from v3.5.0 :tractor:\n61. Author: Enigma0x3\u002Fbytecode77 derivative by Nassim Asrir\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\slui.exe, \\system32\\changepk.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 (14393)\n * Fixed in: unfixed :see_no_evil:\n * How: -\t\t\n * Code status: added in v3.2.5\n62. Author: winscripting.blog\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\computerdefaults.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod\n * Works from: Windows 10 RS4 (17134)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.6\n63. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: ISecurityEditor\n * Target(s): Native Image Cache elements\n * Component(s): Attacker defined\n * Implementation: ucmNICPoisonMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.2.7\n64. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation\n * Target(s): IE add-on install cache\n * Component(s): Attacker defined\n * Implementation: ucmIeAddOnInstallMethod\n * Works from: Windows 7 (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.1\n65. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IWscAdmin\n * Target(s): Shell Protocol Hijack\n * Component(s): Attacker defined\n * Implementation: ucmWscActionProtocolMethod\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 11 24H2 (26100)\n * How: Side effect of Windows changes\n * Code status: added in v3.5.2\n66. Author: Arush Agarampur\n * Type: Elevated COM interface\n * Method: IFwCplLua, Shell Protocol Hijack\n * Target(s): Shell protocol registry entry and environment variables\n * Component(s): Attacker defined\n * Implementation: ucmFwCplLuaMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 11 24H2 (26100)\n * How: Side effect of Windows changes\n * Code status: added in v3.5.3\n67. Author: Arush Agarampur\n * Type: Shell API\n * Method: Shell Protocol Hijack\n * Target(s): \\system32\\fodhelper.exe\n * Component(s): Attacker defined\n * Implementation: ucmMsSettingsProtocolMethod\n * Works from: Windows 10 TH1 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.4\n68. Author: Arush Agarampur\n * Type: Shell API\n * Method: Shell Protocol Hijack\n * Target(s): \\system32\\wsreset.exe\n * Component(s): Attacker defined\n * Implementation: ucmMsStoreProtocolMethod\n * Works from: Windows 10 RS5 (17763)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.5\n69. Author: Arush Agarampur\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack\n * Target(s): \\system32\\taskhostw.exe\n * Component(s): pcadm.dll\n * Implementation: ucmPcaMethod\n * Works from: Windows 7 (7600)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.6\n70. Author: V3ded\n * Type: Shell API\n * Method: Registry key manipulation\n * Target(s): \\system32\\fodhelper.exe, \\system32\\computerdefaults.exe\n * Component(s): Attacker defined\n * Implementation: ucmShellRegModMethod3\n * Works from: Windows 10 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.7\n71. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: ISecurityEditor\n * Target(s): Native Image Cache elements\n * Component(s): Attacker defined\n * Implementation: ucmNICPoisonMethod2\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.8\n72. Author: Emeric Nasi\n * Type: Dll Hijack\n * Method: Dll path search abuse\n * Target(s): \\syswow64\\msdt.exe, \\system32\\sdiagnhost.exe\n * Component(s): BluetoothDiagnosticUtil.dll\n * Implementation: ucmMsdtMethod\n * Works from: Windows 10 (10240)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.5.9\n73. Author: orange_8361 and antonioCoco\n * Type: Shell API\n * Method: .NET deserialization\n * Target(s): \\system32\\mmc.exe EventVwr.msc\n * Component(s): Attacker defined\n * Implementation: ucmDotNetSerialMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.0\n74. Author: zcgonvh\n * Type: Elevated COM interface\n * Method: IElevatedFactoryServer\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmVFServerTaskSchedMethod\n * Works from: Windows 8.1 (9600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.1\n75. Author: zcgonvh derivative by Wh04m1001\n * Type: Elevated COM interface\n * Method: IDiagnosticProfile\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmVFServerDiagProfileMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.2\n76. Author: HackerHouse\n * Type: Dll Hijack\n * Method: Dll path search abuse, Registry key manipulation\n * Target(s): \\syswow64\\iscsicpl.exe\n * Component(s): iscsiexe.dll\n * Implementation: ucmIscsiCplMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.3\n77. Author: Arush Agarampur\n * Type: Dll Hijack\n * Method: IFileOperation\n * Target(s): \\system32\\mmc.exe\n * Component(s): atl.dll\n * Implementation: ucmAtlHijackMethod\n * Works from: Windows 7 RTM (7600)\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.4\n78. Author: antonioCoco\n * Type: Impersonation\n * Method: SSPI Datagram\n * Target(s): Attacker defined\n * Component(s): Attacker defined\n * Implementation: ucmSspiDatagramMethod\n * Works from: Windows 7 RTM (7600)\n * AlwaysNotify compatible\n * Fixed in: Windows 10 (19041), a part of patch, 2024? year\n * How: Side effect of Windows changes\n * Code status: added in v3.6.5\n79. Author: James Forshaw and Stefan Kanthak\n * Type: GUI Hack\n * Method: UIPI bypass with token modification\n * Target(s): \\system32\\osk.exe, \\system32\\mmc.exe\n * Component(s): Attacker defined\n * Implementation: ucmTokenModUIAccessMethod2\n * Works from: Windows 7 (7600)\n * Fixed in: Windows 10 RS5 (17763), a part of patch, 2024 year\n * How: When integrity level of an UIAccess token is lowered, the UIAccess property is removed\n * Code status: added in v3.6.6\n80. Author: R41N3RZUF477\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack\n * Target(s): \\system32\\taskhostw.exe\n * Component(s): PerformanceTraceHandler.dll\n * Implementation: ucmRequestTraceMethod\n * Works from: Windows 11 (26100)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.7\n81. Author: R41N3RZUF477\n * Type: Shell API\n * Method: Environment variables expansion, Dll Hijack, UIPI bypass\n * Target(s): \\system32\\QuickAssist.exe\n * Component(s): EmbeddedBrowserWebView.dll\n * Implementation: ucmQuickAssistMethod\n * Works from: Windows 10 (19041)\n * AlwaysNotify compatible\n * Fixed in: unfixed :see_no_evil:\n * How: -\n * Code status: added in v3.6.8\n\n\u003C\u002Fdetails>\n\n**Important Notes:**\n* Method 30, 63 and later are implemented only in x64 version\n* Method 30 requires x64 because it exploits WOW64 subsystem feature\n* Method 55 is included primarily for educational purposes and may not be reliable\n* Method 78 requires that the current user account password is not blank\n\n## Warning\n\n⚠️ **Important Security and Usage Information**:\n\n* This tool demonstrates **only publicly known UAC bypass methods** used by malware. It reimplements some techniques in different ways to improve upon original concepts.\n* **Not intended for antivirus testing** and not guaranteed to work in environments with aggressive security software. Use with active antivirus at your own risk.\n* Many antivirus solutions may flag this tool as a \"HackTool\" - this is expected behavior due to its capabilities.\n* **Clean up after usage**: If running on a production system, ensure you remove all program artifacts afterward. See source code for details about files dropped to system folders.\n* Most methods were developed primarily for x64 systems. While many can work on x86-32 with minor adjustments, 32-bit support is not a focus of this project.\n* For an official Microsoft explanation on why UAC bypasses still exist, see: [Microsoft's stance on UAC](https:\u002F\u002Fdevblogs.microsoft.com\u002Foldnewthing\u002F20160816-00\u002F?p=94105)\n\n# Windows 10 support and testing policy\n* UACMe is tested only with LSTB\u002FLTSC variants (1607\u002F1809) and the current RTM-1 versions\n* For example: if the current version is 2004, it will be tested on 2004 (19041) and the previous 1909 (18363)\n* Insider builds are not supported as methods may be fixed in preview releases\n\n# Protection Measures\nThe most effective protection against UAC bypass techniques is using an account without administrative privileges.\n\n# Build instructions\n\nUACMe is written in C and requires Microsoft Visual Studio 2019 or later to build from source.\n\n### Prerequisites\n* **IDE**: Microsoft Visual Studio 2019 or 2022\n* **SDK Requirements**:\n * Windows 8.1 or Windows 10 SDK (tested with 19041 version)\n * NET Framework SDK (tested with 4.8 version)\n\n### Build Steps\n\n1. **Configure Platform ToolSet** (Project->Properties->General):\n * For Visual Studio 2019: Select v142\n * For Visual Studio 2022: Select v143\n\n2. **Set Target Platform Version** (Project->Properties->General):\n * For v140: Select 8.1 (Windows 8.1 SDK must be installed)\n * For v141 and above: Select 10\n\n3. **Build Process**:\n * Compile payload units\n * Compile Naka module\n * Encrypt all payload units using Naka module\n * Generate secret blobs for these units using Naka module\n * Move compiled units and secret blobs to the Akagi\\Bin directory\n * Rebuild Akagi\n\n> **Note**: Compiled binaries are not provided and will never be provided. This serves as a barrier against malicious usage and helps maintain the educational purpose of this project.\n\n## Legal Disclaimer\n\n* This tool is provided for **educational and research purposes only**\n* We do not take any responsibility for this tool being used in malicious activities\n* We have no affiliation with any \"security company\" using this code for commercial activities\n* This GitHub repository (hfiref0x\u002FUACME) is the only genuine source for UACMe code\n\n# Support\n\nIf you find this project interesting, you can buy me a coffee\n\nBTC (Bitcoin): bc1qzkvtpa0053cagf35dqmpvv9k8hyrwl7krwdz84q39mcpy68y6tmqsju0g4\n \n# References\n\n* Windows 7 UAC whitelist, http:\u002F\u002Fwww.pretentiousname.com\u002Fmisc\u002Fwin7_uac_whitelist2.html\n* Malicious Application Compatibility Shims, https:\u002F\u002Fwww.blackhat.com\u002Fdocs\u002Feu-15\u002Fmaterials\u002Feu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf\n* Junfeng Zhang from WinSxS dev team blog, https:\u002F\u002Fblogs.msdn.microsoft.com\u002Fjunfeng\u002F\n* Beyond good ol' Run key, series of articles, http:\u002F\u002Fwww.hexacorn.com\u002Fblog\n* KernelMode.Info UACMe thread, https:\u002F\u002Fwww.kernelmode.info\u002Fforum\u002Fviewtopicf985.html?f=11&t=3643\n* Command Injection\u002FElevation - Environment Variables Revisited, https:\u002F\u002Fbreakingmalware.com\u002Fvulnerabilities\u002Fcommand-injection-and-elevation-environment-variables-revisited\n* \"Fileless\" UAC Bypass Using eventvwr.exe and Registry Hijacking, https:\u002F\u002Fenigma0x3.net\u002F2016\u002F08\u002F15\u002Ffileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking\u002F\n* Bypassing UAC on Windows 10 using Disk Cleanup, https:\u002F\u002Fenigma0x3.net\u002F2016\u002F07\u002F22\u002Fbypassing-uac-on-windows-10-using-disk-cleanup\u002F\n* Using IARPUninstallStringLauncher COM interface to bypass UAC, http:\u002F\u002Fwww.freebuf.com\u002Farticles\u002Fsystem\u002F116611.html\n* Bypassing UAC using App Paths, https:\u002F\u002Fenigma0x3.net\u002F2017\u002F03\u002F14\u002Fbypassing-uac-using-app-paths\u002F\n* \"Fileless\" UAC Bypass using sdclt.exe, https:\u002F\u002Fenigma0x3.net\u002F2017\u002F03\u002F17\u002Ffileless-uac-bypass-using-sdclt-exe\u002F\n* UAC Bypass or story about three escalations, https:\u002F\u002Fhabrahabr.ru\u002Fcompany\u002Fpm\u002Fblog\u002F328008\u002F\n* Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https:\u002F\u002Ftyranidslair.blogspot.ru\u002F2017\u002F05\u002Fexploiting-environment-variables-in.html\n* First entry: Welcome and fileless UAC bypass, https:\u002F\u002Fwinscripting.blog\u002F2017\u002F05\u002F12\u002Ffirst-entry-welcome-and-uac-bypass\u002F\n* Reading Your Way Around UAC in 3 parts:\n 1. https:\u002F\u002Ftyranidslair.blogspot.ru\u002F2017\u002F05\u002Freading-your-way-around-uac-part-1.html\n 2. https:\u002F\u002Ftyranidslair.blogspot.ru\u002F2017\u002F05\u002Freading-your-way-around-uac-part-2.html\n 3. https:\u002F\u002Ftyranidslair.blogspot.ru\u002F2017\u002F05\u002Freading-your-way-around-uac-part-3.html \n* Research on CMSTP.exe, https:\u002F\u002Fmsitpros.com\u002F?p=3960\n* UAC bypass via elevated .NET applications, https:\u002F\u002Foffsec.provadys.com\u002FUAC-bypass-dotnet.html\n* UAC Bypass by Mocking Trusted Directories, https:\u002F\u002Fmedium.com\u002Ftenable-techblog\u002Fuac-bypass-by-mocking-trusted-directories-24a96675f6e\n* Yet another sdclt UAC bypass, http:\u002F\u002Fblog.sevagas.com\u002F?Yet-another-sdclt-UAC-bypass\n* UAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https:\u002F\u002Fegre55.github.io\u002Fsystem-properties-uac-bypass\u002F\n* Accessing Access Tokens for UIAccess, https:\u002F\u002Ftyranidslair.blogspot.com\u002F2019\u002F02\u002Faccessing-access-tokens-for-uiaccess.html\n* Fileless UAC Bypass in Windows Store Binary, https:\u002F\u002Fwww.activecyber.us\u002F1\u002Fpost\u002F2019\u002F03\u002Fwindows-uac-bypass.html\n* Calling Local Windows RPC Servers from .NET, https:\u002F\u002Fgoogleprojectzero.blogspot.com\u002F2019\u002F12\u002Fcalling-local-windows-rpc-servers-from.html\n* Microsoft Windows 10 UAC bypass local privilege escalation exploit, https:\u002F\u002Fpacketstormsecurity.com\u002Ffiles\u002F155927\u002FMicrosoft-Windows-10-Local-Privilege-Escalation.html\n* UACMe 3.5, WD and the ways of mitigation, https:\u002F\u002Fswapcontext.blogspot.com\u002F2020\u002F10\u002Fuacme-35-wd-and-ways-of-mitigation.html\n* UAC bypasses from COMAutoApprovalList, https:\u002F\u002Fswapcontext.blogspot.com\u002F2020\u002F11\u002Fuac-bypasses-from-comautoapprovallist.html\n* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https:\u002F\u002Fv3ded.github.io\u002Fredteam\u002Futilizing-programmatic-identifiers-progids-for-uac-bypasses\n* MSDT DLL Hijack UAC bypass, https:\u002F\u002Fblog.sevagas.com\u002F?MSDT-DLL-Hijack-UAC-bypass\n* UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https:\u002F\u002Ftwitter.com\u002Forange_8361\u002Fstatus\u002F1518970259868626944\n* Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http:\u002F\u002Fwww.zcgonvh.com\u002Fpost\u002FAdvanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html\n* Bypassing UAC with SSPI Datagram Contexts, https:\u002F\u002Fsplintercod3.blogspot.com\u002Fp\u002Fbypassing-uac-with-sspi-datagram.html\n* Mitigate some Exploits for Windows’® UAC, https:\u002F\u002Fskanthak.hier-im-netz.de\u002Fuacamole.html\n\n# Authors\n\n(c) 2014 - 2026 UACMe Project\n","UACMe 是一个用于绕过 Windows 用户账户控制(UAC)的项目,通过利用内置的 Windows AutoElevate 后门来实现。该项目展示了多种 UAC 绕过技术,并作为教育资源帮助理解 Windows 安全机制。其核心功能包括使用 DLL 劫持等方法来提升权限,适用于 Windows 7\u002F8\u002F8.1\u002F10\u002F11 系统。UACMe 提供了详细的使用说明和示例命令,方便用户在受控环境中测试和学习。注意,此工具仅应用于教育和安全研究目的,在实际使用时需谨慎。",2,"2026-06-11 03:06:35","top_language"]