UAC Elevation in Windows 7 and Server 2008

User Account Control (UAC) Escalation

I found a number of simple VBScript’s that relaunch using the “runas” verb just to launch another application or script with elevated privileges. They just do it by re-invoking themselves with a bogus argument just to trigger the else clause the second time through. I didn’t like the ampersand and underscore style I saw, so I rewrote it to be a little less quirky.

If WScript.Arguments.length =0 Then
  Set objShell = CreateObject("Shell.Application")
  objShell.ShellExecute WScript.FullName, WScript.ScriptFullName, vbNullString, "runas"
Else
  Set objShell = WScript.CreateObject("WScript.Shell")
  objShell.Run("program-that-would-prompt-alot.exe")
End If

If WScript.Arguments.length =0 Then

Set objShell = CreateObject("Shell.Application")

objShell.ShellExecute WScript.FullName, WScript.ScriptFullName, vbNullString, "runas"

Else

Set objShell = WScript.CreateObject("WScript.Shell")

objShell.Run("program-that-would-prompt-alot.exe")

End If

It’s really just the 3rd line where the privilege escalation happens that’s the difference.

Now the only problem is that the user is still prompted at the elevation. The good thing is he/she’s only asked once, then the real application can do multiple things without forcing multiple prompts.

This could also be used maliciously by doing something the user is expecting when it’s first run, then when he reinvokes to get into the else clause, privileges shmivileges. Yeah so, uh don’t do that.

For more info, see my page titled “UAC Elevation in Windows 7 and Server 2008″.

Posted on October 18th, by admica in howto, microsoft, security.

No Comments

administrator escalation runas uac vbscript