User Account Control (UAC) is one of Windows’ core security features, designed to prevent applications from silently gaining administrative privileges. Most users only see the familiar “Do you want to allow this app to make changes to your device?” prompt, but behind that dialog is a sequence of components working together. Understanding how a simple right-click -> Run as Administrator leads to a secure, isolated elevation flow requires looking at how Windows brokers the request, how it displays the UAC dialog, how it protects sensitive metadata, and how it ultimately launches elevated processes. The following sections break down this flow and introduces ConsentManager, a utility that makes the hidden parts of UAC visible.
How does UAC work
When you run a program "as Administrator", Windows doesn't actually let the program you clicked, like cmd.exe, launch directly with higher privileges. Instead, Explorer hands the request off to a special service called AppInfo, which manages UAC. When AppInfo decides that a UAC prompt is needed, it launches consent.exe. AppInfo passes a structured data block into consent.exe that contains everything the UI needs to display, such as the program name, the requested executable path, the elevation type, and metadata used to draw the UAC dialog. This data is stored inside the AppInfo process and handed to consent.exe by giving it a pointer to a memory block within AppInfo's address space. Consent.exe reads that block directly to know what to show on screen. If you approve the prompt, AppInfo creates the elevated process. To make everything appear normal, Windows then assigns that new process a parent process ID pointing back to Explorer, even though Explorer didn't create it.
This "re-parenting" helps the elevated app inherit the right environment and preserves the illusion that Explorer launched it. The true creator is AppInfo and the details of the UAC request, including the data block read by consent.exe, aren't visible to normal monitoring tools once the process starts.
What this process looks like
Taking a look at process create events and process exit events, we'll go through what a typical elevation of powershell would look like when clicking "Run as Administrator".
svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block.
consent.exe 9724 604 000001D5BC160390
After UAC is successful, consent.exe exist with a status of 0x0.
powershell is launched elevated with explorer as its parent.
What do we see if it is not successful? We'll do the same thing with cmd.exe this time but we will close the UAC prompt instead of entering credentials this time.
svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block.
consent.exe 9724 424 000001D5BC83E770
UAC prompt is closed without entering credentials. consent.exe exits with a status code of 0x4C7
That's pretty much it. No information that cmd.exe was the program trying to be elevated.
Enter ConsentMonitor
ConsentMonitor is a utility designed to monitor consent.exe and capture the memory block passed to it during a UAC prompt. ConsentMonitor captures the passed memory block to provide visibility into what process was attempting to elevate, making it easier to analyze UAC activity.
Let's look at the unsuccessful elevation again but this time with ConsentManager running.
svchost launches consent.exe with the pid of svchost, the size of the data block, and the offset to the data block.
consent.exe 9724 424 000001D5BC83E770
ConsentManager captures this data and shows all active sessions on the system.
ConsentManager parses the data block and outputs in a hex viewer style format and an easier to read format. We can see that cmd.exe is the process that is trying to elevate.
UAC prompt is closed without entering credentials. consent.exe exits with a status code of 0x4C7
ConsentMonitor can also be ran so the output goes to the console instead of a custom evtx log. I hope this shed a little light into UAC and some of it's shortcomings when trying to investigate. So check out ConsentMonitor and let me know what you think.
No comments:
Post a Comment