Elevation

When a user is authenticated, who is also an administrator, two tokens are created:
- Elevated Token: Token with all the administrative privileges
- Filter Token: Token with administrative privileges stripped. This token is used by default to create all the process.

Ways to elevate privilege (use elevated token):

Right Click -> Run as Administrator
Calling ShellExecuteEx API using the runas verb.
Add a manifest to the application asking for administrative privilege:

<trustInfo xmlns="urn:schema-microsoft-com:asm.v3">
	<security>
		<requestedPrivileges>
			# requires evevated token, cannot run with filter token
			<requestedExecutionLevel Level='requireAdministrator' />
			# if user can elevate, UAC dialog, if user is not admin, continue with user privs
			<requestedExecutionLevel Level='highestAvailable' /> 
		</requestedPrivileges>
	</security>
</trustInfo>

Elevation Process

User opens explorer which is running as a standard user token.
When the user double clicks on an application which request administrator rights or the user selects "Run as Administrator", the ShellExecute API is called to execute app.exe.
ShellExecute calls a helper service AppInfo Service.
AppInfo Service brings up the Consent.exe which is the UAC box.
If the user is an administrator, the consent with ask a simple Yes or No. If the user is not an administrator, the consent will ask username and password of an administrator.
If everything works, the consent.exe will return the elevated token to the AppInfo Service.
Windows reparent the App.exe such that it looks like the process was spawned by explorer.exe

AutoElevate

Requirements:
- Executable must be signed by Windows publisher.
- Executable should be in a trusted directory, like System32 or Program Files
- AutoElevate should be set to true in application's manifest file. Can be verified with sigcheck
```
.\sigcheck.exe -m C:\Windows\System32\msconfig.exe
```

Last updated 6 months ago

<trustInfo xmlns="urn:schema-microsoft-com:asm.v3"> <security> <requestedPrivileges> # requires evevated token, cannot run with filter token <requestedExecutionLevel Level='requireAdministrator' /> # if user can elevate, UAC dialog, if user is not admin, continue with user privs <requestedExecutionLevel Level='highestAvailable' /> </requestedPrivileges> </security> </trustInfo>

Elevation Process

User opens explorer which is running as a standard user token.

When the user double clicks on an application which request administrator rights or the user selects "Run as Administrator", the ShellExecute API is called to execute app.exe.

ShellExecute calls a helper service AppInfo Service.

AppInfo Service brings up the Consent.exe which is the UAC box.

If the user is an administrator, the consent with ask a simple Yes or No. If the user is not an administrator, the consent will ask username and password of an administrator.

If everything works, the consent.exe will return the elevated token to the AppInfo Service.

AppInfo Service will now run the App.exe with the the token returned by consent using the CreateProcessAsUser.

Windows reparent the App.exe such that it looks like the process was spawned by explorer.exe

AutoElevate

Some processes can elevate themselves to High Integrity Level .

Requirements:

Executable must be signed by Windows publisher.
Executable should be in a trusted directory, like System32 or Program Files
AutoElevate should be set to true in application's manifest file. Can be verified with sigcheck

.\sigcheck.exe -m C:\Windows\System32\msconfig.exe