14 DAY TRIAL // The User Account Control (also known as UAC) is a Windows feature that’s supposed to add a new protection layer to Microsoft’s operating system, requesting administrator privileges to launch processes that can modify system files or settings.
And although it was developed with this purpose in mind, UAC can easily become a double-edged sword, as bypasses can make it completely useless and enable cybercriminals to deploy malware on a system left with no protection.
Security researcher Matt Nelson recently discovered a new way to bypass UAC, and it all comes down to the Backup and Restore tool that’s available in Windows since the debut of Vista. Specifically, Nelson explains that UAC can be easily bypassed by simply modifying registry paths for the Backup and Restore utility, which can be identified on a system by its corresponding process sdclt.exe.
Nelson explains in his research that whenever Backup and Restore is launched, the system turns to another process, this time called control.exe and belonging to the Control Panel, to display the user interface - Backup and Restore is integrated into the Control Panel, so having them linked requires the sdclt.exe to send a launch command to control.exe.
To launch Control Panel, sdclt.exe looks in the Windows Registry to find its path, which is defined by Microsoft to HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe.
How to block the bypass
Nelson explains that administrator privileges aren’t needed to modify the path of this process, which means that a standard account compromised with malware can be used to change the address, point it to other malware, and then gain administrator rights on the computer with the Backup and Restore tool, which is automatically granted full access as it’s listed as a trusted app in Windows.
The security researcher goes on to explain that blocking this bypass is not at all difficult, saying that UAC level can be switched to “Always Notify” or to simply remove the current user from the Local Administrators group.
What’s important to know is that this bypass only works on Windows 10, and Nelson says he tested it on Windows 10 build 15031, which includes the majority of patches for UAC bypasses, so there’s a good chance that the existing Creators Update builds are affected as well.
The Creators Update is projected to be released next month, with RTM to be compiled as soon as this week, but Microsoft can always block this bypass with a patch shipped before the public debut.